CVE-2023-52891

EUVD-2023-59603

09.07.2024, 12:15

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.5), SIMATIC Energy Manager PRO (All versions < V7.5), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMIT V10 (All versions), SIMIT V11 (All versions < V11.1). Unified Automation .NET based OPC UA Server SDK before 3.2.2 used in Siemens products are affected by a similar vulnerability as documented in CVE-2023-27321 for the OPC Foundation UA .NET Standard implementation. A successful attack may lead to high load situation and memory exhaustion, and may block the server.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
siemens	simatic_energy_manager_basic	𝑥 < V7.5	ADP
siemens	simatic_energy_manager_pro	𝑥 < V7.5	ADP
siemens	simatic_ipc_diagbase	𝑥 ≤ *	ADP
siemens	simatic_ipc_diagmonitor	𝑥 ≤ *	ADP
siemens	simit_v10	𝑥 ≤ *	ADP
siemens	simit_v11	𝑥 < V11.1	ADP

Common Weakness Enumeration

CWE-1325 - Improperly Controlled Sequential Memory Allocation
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

References

https://cert-portal.siemens.com/productcert/html/ssa-088132.html