PatchSiren cyber security CVE debrief
CVE-2025-69420 Siemens CVE debrief
A type confusion vulnerability in OpenSSL's TimeStamp Response verification code affects the Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The flaw occurs in `TS_RESP_verify_response()` where `ossl_ess_get_signing_cert()` and `ossl_ess_get_signing_cert_v2()` access signing certificate attribute values without validating the ASN.1 type. When processing a malformed TimeStamp Response with a type other than `V_ASN1_SEQUENCE`, the code dereferences invalid memory through the `ASN1_TYPE` union, causing a crash. Exploitation requires an attacker to supply a malformed RFC 3161 TimeStamp Response to an application performing verification. The protocol's limited adoption and the Denial of Service-only impact resulted in a Low severity assessment, though the CVSS vector indicates HIGH severity (7.5). OpenSSL FIPS modules (3.5, 3.4, 3.3, 3.0) are unaffected as the TimeStamp implementation falls outside the FIPS boundary. Affected OpenSSL versions include 3.6, 3.5, 3.4, 3.3, 3.0, and 1.1.1; version 1.0.2 is not affected.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with active GNU/Linux subsystems, particularly those utilizing TimeStamp Response verification in industrial automation, PKI infrastructure, or code signing workflows. Security teams in OT/ICS environments should prioritize access controls given the absence of available patches.
Technical summary
The vulnerability stems from improper type validation in OpenSSL's ESS (Enhanced Security Services) signing certificate extraction functions. When `ossl_ess_get_signing_cert()` or `ossl_ess_get_signing_cert_v2()` processes a TimeStamp Response, they retrieve the signing certificate attribute value via `X509_ATTRIBUTE_get0_data()` without verifying that the returned `ASN1_TYPE` contains a `V_ASN1_SEQUENCE`. The `ASN1_TYPE` union contains multiple member types of varying sizes; accessing the `sequence` member when the actual type differs causes memory misinterpretation and invalid pointer dereference. This manifests as a NULL or invalid pointer read during `TS_RESP_verify_response()` execution. The crash occurs in the reading phase, not writing, limiting impact to availability loss. The FIPS module boundary exclusion is significant for compliance-sensitive deployments.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and run only applications from trusted sources
- Monitor for future Siemens security advisories regarding patch availability
- Review application dependencies for OpenSSL TimeStamp Response functionality
- Assess network segmentation to limit exposure of TimeStamp verification services
Evidence notes
The source advisory (ICSA-24-102-01) was initially published on 2024-04-09 and has undergone nine revision cycles through 2025-09-09, with CVE-2025-69420 added in a subsequent release. The advisory identifies the affected product as the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP, which incorporates vulnerable OpenSSL components. Siemens has published parallel guidance in SSA-265688. No patch is currently available per the source remediation data.
Official resources
-
CVE-2025-69420 CVE record
CVE.org
-
CVE-2025-69420 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09