PatchSiren cyber security CVE debrief
CVE-2023-39615 Siemens CVE debrief
CVE-2023-39615 is a medium-severity out-of-bounds read vulnerability in Xmlsoft Libxml2 v2.11.0, specifically within the xmlSAX2StartElement() function in /libxml2/SAX2.c. The vulnerability was published on August 13, 2024, with a CVSS 3.1 score of 6.5 (MEDIUM). The issue allows attackers to cause a Denial of Service (DoS) condition by supplying a crafted XML file. Notably, the upstream vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks, and crashes can occur even without crafted input. Siemens SINEC NMS has been identified as an affected product through CISA's CSAF advisory ICSA-24-228-06. A vendor fix is available: users should update to SINEC NMS V3.0 or later. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been documented.
- Vendor
- Siemens
- Product
- SINEC NMS
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating Siemens SINEC NMS for industrial network management; security teams maintaining XML parsing libraries in OT/ICS environments; asset owners following CISA ICS security guidance
Technical summary
The vulnerability exists in the xmlSAX2StartElement() function within Libxml2's SAX2.c implementation. An out-of-bounds read can be triggered when processing malformed or crafted XML input, resulting in application crash and denial of service. The upstream vendor (Xmlsoft) maintains that the legacy SAX1 interface with custom callbacks is not a supported configuration, and crashes may occur under normal conditions. Siemens has confirmed that SINEC NMS incorporates the affected library version and has released version 3.0 to address the issue. The vulnerability is network-exploitable with low attack complexity, requiring user interaction but no privileges.
Defensive priority
medium
Recommended defensive actions
- Update Siemens SINEC NMS to V3.0 or later version to remediate this vulnerability
- Review XML parsing implementations for use of legacy SAX1 interfaces with custom callbacks
- Apply defense-in-depth practices for industrial control systems per CISA guidance
- Monitor for vendor security advisories from Siemens CERT portal for additional affected products
Evidence notes
Vulnerability affects xmlSAX2StartElement() in Libxml2 v2.11.0; vendor notes legacy SAX1 interface is unsupported. Siemens SINEC NMS confirmed affected via CISA CSAF advisory ICSA-24-228-06. Remediation requires update to V3.0 or later.
Official resources
-
CVE-2023-39615 CVE record
CVE.org
-
CVE-2023-39615 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-13