PatchSiren cyber security CVE debrief
CVE-2023-38039 Siemens CVE debrief
CVE-2023-38039 is a HIGH severity (CVSS 7.5) uncontrolled resource consumption vulnerability in curl's HTTP header handling. The flaw exists because curl did not impose limits on the number or size of HTTP response headers it would accept and store for the libcurl headers API. A malicious server can exploit this by streaming an endless series of headers, causing curl to exhaust heap memory and resulting in denial of service. This vulnerability affects Siemens SIMATIC RTLS Locating Manager across multiple product variants. The issue was published on 2024-05-14 and last modified on 2024-06-11. Siemens has released a vendor fix in version V3.0.1.1 or later, available through Siemens Online Software Delivery (OSD).
- Vendor
- Siemens
- Product
- SIMATIC RTLS Locating Manager (6GT2780-0DA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Organizations operating Siemens SIMATIC RTLS Locating Manager systems in industrial control or operational technology environments should prioritize this vulnerability. System administrators responsible for Windows Server deployments hosting RTLS Locating Manager components, network security teams managing firewall rules for ICS/OT networks, and security operations centers monitoring for anomalous HTTP traffic patterns should address this issue. Organizations with RTLS deployments in critical infrastructure sectors including manufacturing, logistics, and asset tracking should apply the vendor fix promptly.
Technical summary
The vulnerability stems from curl's lack of bounds checking on HTTP response header accumulation. When curl retrieves an HTTP response, it stores incoming headers for later access via the libcurl headers API. Without limits on header count or total size, a malicious server can transmit an unbounded stream of headers, causing unbounded heap memory growth until system memory is exhausted. This results in denial of service through memory exhaustion. The attack requires network connectivity to a malicious or compromised HTTP server and can be executed without authentication. The fix implements proper limits on header acceptance to prevent unbounded memory consumption.
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens SIMATIC RTLS Locating Manager to version V3.0.1.1 or later through Siemens Online Software Delivery (OSD)
- Install required RTLS Locating Manager components on a single host computer where possible and restrict system access to trusted persons only
- Secure the Windows Server hosting RTLS Locating Manager with a firewall and block all ports from untrusted networks
- Apply security hardening to the Windows Server per corporate security policies or current hardening guidelines
- Monitor for anomalous HTTP traffic patterns indicating excessive header transmission attempts
- Review and restrict outbound HTTP connections from affected systems to trusted destinations only
Evidence notes
Vulnerability description and affected products confirmed via CISA CSAF advisory ICSA-24-137-07. Vendor fix and mitigation details sourced from Siemens security advisory SSA-093430 as referenced in the CSAF document. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C indicates network attack vector with low complexity, no privileges required, and high availability impact.
Official resources
-
CVE-2023-38039 CVE record
CVE.org
-
CVE-2023-38039 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14