PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-68160 Siemens CVE debrief

CVE-2025-68160 is a heap-based out-of-bounds write vulnerability in OpenSSL's line-buffering BIO filter (BIO_f_linebuffer). The flaw occurs when large, newline-free data is written into a BIO chain where the next BIO performs short writes, potentially causing memory corruption and denial of service through application crashes. The vulnerability was published on 2024-04-09 and last modified on 2026-05-14. Siemens has identified this as affecting the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP industrial control systems. The line-buffering BIO filter is not used by default in TLS/SSL data paths and is typically only pushed onto stdout/stderr on VMS systems in OpenSSL command-line applications. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected; however, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For this reason the issue was assessed as Low severity by OpenSSL, though CISA's advisory assigns a CVSS 3.1 score of 4.7 (MEDIUM). OpenSSL FIPS modules in versions 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected as the BIO implementation is outside the FIPS module boundary. OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable. No patch is currently available from Siemens for the affected product.

Vendor
Siemens
Product
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled; developers maintaining applications that explicitly use OpenSSL's BIO_f_linebuffer filter; industrial control system operators relying on OpenSSL in non-FIPS configurations; security teams responsible for OpenSSL deployments in versions 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, or 1.0.2

Technical summary

The vulnerability exists in OpenSSL's line-buffering BIO filter implementation. When BIO_f_linebuffer is explicitly used in a BIO chain, and the next BIO in the chain performs short writes, writing large amounts of data without newlines can trigger a heap-based out-of-bounds write. This occurs because the line buffer may not properly handle the case where buffered data exceeds expected boundaries when subsequent BIOs do not consume all available data. The memory corruption typically results in application crashes (denial of service). The attack surface is limited: the filter is not used by default in TLS/SSL paths, and in OpenSSL command-line tools it is typically only enabled for stdout/stderr on VMS systems. Exploitation requires specific application configurations where attacker-influenced data is processed through an explicitly configured BIO_f_linebuffer chain with short-write behavior.

Defensive priority

medium

Recommended defensive actions

  • Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
  • Only build and run applications from trusted sources
  • Monitor for updates from Siemens regarding patch availability for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
  • Review applications using OpenSSL BIO_f_linebuffer filter to ensure they do not process attacker-influenced large newline-free data with short-write BIO chains
  • Apply OpenSSL updates when available for affected versions (3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, 1.0.2) in non-FIPS deployments

Evidence notes

CVE description and impact assessment derived from CISA CSAF advisory ICSA-24-102-01, which references OpenSSL's vulnerability disclosure. Siemens product impact confirmed through CSAF product tree. CVSS vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with high attack complexity, requiring low privileges but no user interaction, resulting in high availability impact.

Official resources

2024-04-09