CVE-2023-38380

A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions), SIMATIC CP 1243-7 LTE (All versions), SIMATIC CP 1243-8 IRC (All versions), SIMATIC CP 1543-1 (All versions), SINAMICS S210 (6SL5...) (All versions >= V6.1 < V6.1 HF2), SIPLUS NET CP 1543-1 (All versions). The webserver implementation of the affected products does not correctly release allocated memory after it has been used. An attacker with network access could use this vulnerability to cause a denial-of-service condition in the webserver of the affected product.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-693975.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:siemens:6gk7243-8rx30-0xe0_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:6gk7243-8rx30-0xe0:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:siemens:6gk7543-1ax00-0xe0_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:6gk7543-1ax00-0xe0:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:siemens:6ag1543-1ax00-2xe0_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:6ag1543-1ax00-2xe0:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:siemens:simatic_cp_1242-7_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_cp_1242-7_v2:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:siemens:simatic_cp_1243-1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_cp_1243-1:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:siemens:simatic_cp_1243-1_dnp3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_cp_1243-1_dnp3:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:siemens:simatic_cp_1243-1_iec_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_cp_1243-1_iec:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:siemens:simatic_cp_1243-7_lte_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_cp_1243-7_lte:*:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

OR	cpe:2.3:o:siemens:sinamics_s210_firmware:5.1:sp1_hotfix8::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.1:-::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.1:sp1::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:sp3_hotfix5::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:sp3_hotfix3::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:hotfix6::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:sp3_hotfix9::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:sp3::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:sp3_hotfix6::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:-::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:hotfix5::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:hotfix2::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:5.2:hotfix7::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:6.1:-::::::
	cpe:2.3:o:siemens:sinamics_s210_firmware:6.1:hotfix1::::::

cpe:2.3:h:siemens:sinamics_s210:-:*:*:*:*:*:*:*

Information

Published : 2023-12-12 12:15

Updated : 2023-12-18 15:08

NVD link : CVE-2023-38380

Mitre link : CVE-2023-38380

JSON object : View

Products Affected

siemens

simatic_cp_1242-7_v2
simatic_cp_1243-1_iec_firmware
6gk7243-8rx30-0xe0_firmware
simatic_cp_1243-7_lte_firmware
simatic_cp_1242-7_v2_firmware
sinamics_s210
simatic_cp_1243-1_iec
simatic_cp_1243-1_dnp3_firmware
simatic_cp_1243-1_firmware
6gk7543-1ax00-0xe0_firmware
sinamics_s210_firmware
6gk7243-8rx30-0xe0
simatic_cp_1243-1_dnp3
simatic_cp_1243-1
6ag1543-1ax00-2xe0
6gk7543-1ax00-0xe0
6ag1543-1ax00-2xe0_firmware
simatic_cp_1243-7_lte

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

7.5 /10