PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-69419 Siemens CVE debrief

CVE-2025-69419 is a high-severity (CVSS 7.4) out-of-bounds write vulnerability in OpenSSL's PKCS#12 handling, specifically affecting the `PKCS12_get_friendlyname()` function. The flaw occurs during BMPString (UTF-16BE) to UTF-8 conversion when processing maliciously crafted PKCS#12 files. The `OPENSSL_uni2utf8()` function's two-pass conversion contains a bug in the `bmp_to_utf8()` helper: it incorrectly passes remaining UTF-16 source byte count as destination buffer capacity to `UTF8_putc()`. For BMP code points above U+07FF requiring three UTF-8 bytes, this can result in only two bytes of capacity being reported. When `UTF8_putc()` returns -1, this negative value is added to output length without validation, causing a negative length that results in a trailing NUL byte being written before the allocated heap buffer—specifically a one-byte out-of-bounds write. The vulnerability is reachable via the public `PKCS12_get_friendlyname()` API when parsing attacker-controlled PKCS#12 files. While `PKCS12_parse()` uses a different code path avoiding this issue, `PKCS12_get_friendlyname()` directly invokes the vulnerable function. The OpenSSL project assessed this as Low severity due to the limited impact (single zero-byte write), though downstream scoring may vary. OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, and 1.1.1 are affected; OpenSSL 1.0.2 and FIPS modules (3.6, 3.5, 3.4, 3.3, 3.0) are not affected. Siemens has identified this vulnerability affects the SIMATIC S7-1500 TM MFP GNU/Linux subsystem. As of the source advisory, no fix is available. Mitigations include limiting access to the interactive shell of the GNU/Linux subsystem to trusted personnel only and only building/running applications from trusted sources.

Vendor
Siemens
Product
SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled; industrial control system operators using OpenSSL-dependent applications that process PKCS#12 files from untrusted sources; security teams responsible for OT/ICS patch management and defense-in-depth strategies

Technical summary

The vulnerability exists in OpenSSL's `OPENSSL_uni2utf8()` function during BMPString to UTF-8 conversion. The root cause is an incorrect capacity calculation in `bmp_to_utf8()` where remaining UTF-16 source bytes are used as destination buffer capacity. For BMP characters >U+07FF requiring 3-byte UTF-8 encoding, this miscalculation can cause `UTF8_putc()` to return -1. The unchecked addition of this negative return value to the output length causes integer underflow, resulting in a negative buffer offset where the terminating NUL byte is written—one byte before the heap allocation. The attack vector requires an attacker to supply a malicious PKCS#12 file with a crafted BMPString friendly name to an application calling `PKCS12_get_friendlyname()`. The vulnerability does not affect `PKCS12_parse()` which uses a different code path. Impact is limited to a single zero-byte out-of-bounds write, which can cause memory corruption and potential denial of service.

Defensive priority

high

Recommended defensive actions

  • Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
  • Only build and run applications from trusted sources
  • Monitor for patches from Siemens and OpenSSL projects
  • Review applications using PKCS12_get_friendlyname() for exposure to untrusted PKCS#12 files
  • Apply defense-in-depth controls per CISA ICS recommended practices

Evidence notes

CVE published 2024-04-09 per source metadata. Source advisory ICSA-24-102-01 published same date with multiple subsequent updates through 2025-09-09. Siemens product-specific advisory SSA-265688 cross-referenced. CVSS vector from source: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (score 7.4, HIGH). CWE-787 (Out-of-bounds Write) identified.

Official resources

2024-04-09