Siemens SICORE and CPCI85 Out-of-Bounds Write Vulnerability Leading to Denial-of-Service

An out-of-bounds write vulnerability has been identified in Siemens CPCI85 Central Processing/Communication and SICORE Base system, affecting all versions prior to V26.10 and V26.10.0, respectively. The vulnerability arises while parsing specially crafted XML inputs, allowing an unauthenticated attacker to send a malicious XML request that could cause the service to crash, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause the service to crash, creating a denial-of-service condition.

Remediation

Users are advised to update to Siemens CPCI85 V26.10 or later, or to SICORE V26.10.0 or later. The CPCI85 V26.10 firmware is available within the 'CP-8031/CP-8050 Package' V26.10 and the 'SICAM EGS Package' V26.10. The SICORE V26.10.0 firmware can be found in the 'CP-8010/CP-8012 Package' V26.10 and the 'SICAM S8000 Package' V26.10.