8.7

CVE-2023-38380

A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.4.29), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.4.29), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.4.29), SIMATIC CP 1243-7 LTE (All versions < V3.4.29), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.4.29), SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) (All versions < V2.3), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) (All versions < V2.3), SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0) (All versions < V3.0.37), SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0) (All versions < V2.3), SINAMICS S210 (6SL5...) (All versions >= V6.1 < V6.1 HF2), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0) (All versions < V2.3), SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0) (All versions < V2.3), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0) (All versions < V2.3), SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0) (All versions < V3.0.37). The webserver implementation of the affected products does not correctly release allocated memory after it has been used.

An attacker with network access could use this vulnerability to cause a denial-of-service condition in the webserver of the affected product.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SiemensSinamics S210 Firmware Version5.1 Update-
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.1 Updatesp1
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.1 Updatesp1_hotfix8
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Update-
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatehotfix2
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatehotfix5
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatehotfix6
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatehotfix7
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatesp3
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatesp3_hotfix3
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatesp3_hotfix5
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatesp3_hotfix6
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version5.2 Updatesp3_hotfix9
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version6.1 Update-
   SiemensSinamics S210 Version-
SiemensSinamics S210 Firmware Version6.1 Updatehotfix1
   SiemensSinamics S210 Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.96% 0.568
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
productcert@siemens.com 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
productcert@siemens.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://cert-portal.siemens.com/productcert/html/ssa-139628.html
https://cert-portal.siemens.com/productcert/html/ssa-625862.html
https://cert-portal.siemens.com/productcert/html/ssa-693975.html
https://cert-portal.siemens.com/productcert/pdf/ssa-693975.pdf
Vendor Advisory