PatchSiren cyber security CVE debrief
CVE-2023-52389 Siemens CVE debrief
A critical integer overflow vulnerability in POCO C++ Libraries' UTF32Encoding component affects Siemens SINEC INS. The flaw in UTF32Encoding.cpp allows Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() to return negative integers when processing UTF-32 byte sequences evaluating to 0x80000000 or higher, leading to stack buffer overflow. This vulnerability was published on November 12, 2024, with a CVSS 3.1 score of 9.8 (Critical). The issue is resolved in POCO versions 1.11.8p2, 1.12.5p2, and 1.13.0. Siemens has released SINEC INS V1.0 SP2 Update 3 to address this vulnerability in their product.
- Vendor
- Siemens
- Product
- SINEC INS
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Siemens SINEC INS industrial network management systems, OT security teams managing industrial control system infrastructure, developers using POCO C++ Libraries for UTF-32 encoding operations, and security teams responsible for library dependency management in critical infrastructure environments.
Technical summary
The vulnerability exists in POCO C++ Libraries' UTF32Encoding.cpp implementation where Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() functions may return negative integers when processing UTF-32 byte sequences that evaluate to values of 0x80000000 or higher. This integer overflow condition leads to subsequent stack buffer overflow. The flaw affects Siemens SINEC INS which incorporates vulnerable POCO library versions. Attack vectors are network-based with low attack complexity, requiring no privileges or user interaction. Successful exploitation can result in complete confidentiality, integrity, and availability compromise. Remediation requires updating to SINEC INS V1.0 SP2 Update 3 or later, which incorporates fixed POCO versions.
Defensive priority
critical
Recommended defensive actions
- Apply Siemens SINEC INS V1.0 SP2 Update 3 or later to remediate the vulnerable POCO library dependency
- Verify POCO library versions in use and upgrade to 1.11.8p2, 1.12.5p2, or 1.13.0 where vendor updates are not yet available
- Implement input validation for UTF-32 encoded data in applications processing external or untrusted content
- Monitor for anomalous process crashes or memory corruption indicators in systems handling UTF-32 encoded data
- Review network segmentation for industrial control systems per CISA ICS recommended practices
Evidence notes
Vulnerability stems from POCO C++ Libraries UTF32Encoding.cpp integer overflow when handling UTF-32 byte sequences ≥0x80000000. Siemens SINEC INS incorporates affected POCO library versions. CISA ICS advisory ICSA-24-319-08 confirms affected product and remediation availability.
Official resources
-
CVE-2023-52389 CVE record
CVE.org
-
CVE-2023-52389 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12