Siemens SIMATIC S7-1500 CPUs

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 6.9
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC S7-1500 CPUs
  • Vulnerability: Authentication Bypass Using an Alternate Path or Channel
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain knowledge about actual and configured maximum cycle times and communication load of the CPU.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

  • SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): Versions prior to V3.1.4
  • SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Versions prior to V3.1.4
  • SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All versions
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): All versions
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): All versions
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): All versions
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): All versions
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): All versions
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): All versions
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): All versions
  • SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): Versions prior to V3.1.4
  • SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): All versions
  • SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): All versions
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): All versions
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): All versions
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): All versions
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): All versions
  • SIMATIC S7-1500 Software Controller V2: All versions
  • SIMATIC S7-1500 Software Controller V3: All versions
  • SIMATIC S7-PLCSIM Advanced: All versions
  • SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): All versions
  • SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): All versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): All versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): All versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): All versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): All versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): All versions
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): All versions
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): All versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): All versions
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): All versions
  • SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): All versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): All versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): All versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): All versions
  • SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): Versions prior to V3.1.4
  • SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): All versions
  • SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): Versions prior to V3.1.4
3.2 Vulnerability Overview 3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

The web server of affected devices does not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load.

CVE-2024-46887 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-46887. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Corstiaan Klos reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller V2, SIMATIC S7-1500 Software Controller V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): Currently no fix is available
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): Update to V3.1.4 or later version
  • SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V3.1.4 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-054046 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Delta Electronics CNCSoft-G2

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.4
  • ATTENTION: low attack complexity
  • Vendor: Delta Electronics
  • Equipment: CNCSoft-G2
  • Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Write, Heap-Based Buffer Overflow, Out-of-bounds Read, Use of Uninitialized Variable
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code remotely.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

  • CNCSoft-G2: Version 2.1.0.10
3.2 Vulnerability Overview 3.2.1 Stack-based Buffer Overflow CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can manipulate an insider to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.

CVE-2024-47962 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47962. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.

CVE-2024-47963 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47963. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Heap-Based Buffer Overflow CWE-122

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.

CVE-2024-47964 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47964. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Out-of-bounds Read CWE-125

Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.

CVE-2024-47965 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47965. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Use of Uninitialized Variable CWE-457

Delta Electronics CNCSoft-G2 lacks proper initialization of memory prior to accessing it. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.

CVE-2024-47966 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47966. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Bobby Gould, Fritz Sands, and Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.16 or later.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Rockwell Automation Logix Controllers

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: Compact GuardLogix, CompactLogix, ControlLogix, GuardLogix, 1756-EN4TR
  • Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Logix Controllers, are affected:

  • CompactLogix 5380: All versions later than v33.011 up to v33.015
  • Compact GuardLogix 5380: All versions later than v33.011 up to v33.015
  • CompactLogix 5480: All versions later than v33.011 up to v33.015
  • ControlLogix 5580: All versions later than v33.011 up to v33.015
  • GuardLogix 5580: All versions later than v33.011 up to v33.015
  • 1756-EN4TR: Version v3.002
3.2 Vulnerability Overview 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain webpages of the product causing the affected products to become fully unavailable and require a power cycle to recover.

CVE-2024-8626 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8626. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation offers users the following solutions:

  • CompactLogix 5380: Update to v33.015 and later for versions 33. Update to v34.011 and later
  • Compact GuardLogix 5380: Update to v33.015 and later for versions 33. Update to v34.011 and later
  • CompactLogix 5480: Update to v33.015 and later for versions 33. Update to v34.011 and later
  • ControlLogix 5580: Update to v33.015 and later for versions 33. Update to v34.011 and later
  • GuardLogix 5580: Update to v33.015 and later for versions 33. Update to v34.011 and later
  • 1756-EN4TR: Update to version 4.001 and later

Users of the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.   

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Rockwell Automation DataMosaix Private Cloud

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: DataMosaix Private Cloud
  • Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to view user data or create, modify, or delete their own project.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of DataMosaix Private Cloud are affected:

  • DataMosaix Private Cloud: Versions 7.07 and prior
3.2 Vulnerability Overview 3.2.1 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

A data exposure vulnerability exists in DataMosaix Private Cloud. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view user data.

CVE-2024-7952 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-7952. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Missing Authorization CWE-862

A vulnerability exists in DataMosaix Private Cloud that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project.

CVE-2024-7953 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7953. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Incorrect Authorization CWE-863

A vulnerability exists in DataMosaix Private Cloud that allows a threat actor to gain access to user's projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project.

CVE-2024-7956 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-7956. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has addressed this issue in version v7.09 and encourages users to update to the newest available version. Rockwell Automation encourages users of the affected software to apply risk mitigations, if possible.

Rockwell Automation encourages users who are not able to upgrade to one of the corrected versions to apply security best practices, where possible.   

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens Sentron Powercenter 1000

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: Sentron Powercenter 1000
  • Vulnerability: Improper Check for Unusual or Exceptional Conditions
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

  • SENTRON Powercenter 1000 (7KN1110-0MC00): All versions
3.2 Vulnerability Overview 3.2.1 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Prior to v7.4.0, Ember ZNet is vulnerable to a denial-of-service attack through manipulation of the NWK sequence number. For SENTRON Powercenter 1000: The product is vulnerable through the manipulation of a component sequence number, other devices/networks are not affected, only the same powercenter/network is affected. The product is vulnerable through the manipulation of a component sequence number, other
devices/networks are not affected, only the same powercenter/network is affected.

CVE-2023-6874 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-6874. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Mitigate through physical isolation

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-340240 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens PSS SINCAL

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Low Attack Complexity
  • Vendor: Siemens
  • Equipment: PSS SINCAL
  • Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition or kernel memory corruption on the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens products are affected if WibuKey dongles are used:

  • PSS SINCAL: All versions
3.2 Vulnerability Overview 3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption.

CVE-2024-45181 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45181. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70 An improper bounds check allows specially crafted packets to cause an arbitrary address read, resulting in denial of service.

CVE-2024-45182 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45182. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

WIBU Systems has released a new version for WibuKey for Windows. Siemens recommends users update WibuKey Runtime for Windows to V6.70 or later version (https://www.wibu.com/us/support/user/downloads-user-software.html) on affected Windows client installations, where WibuKey Dongles are used.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-368868 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Rockwell Automation ControlLogix

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: ControlLogix
  • Vulnerability: Improper Input Validation
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send a specially crafted CIP message and cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

  • ControlLogix 5580: Versions prior to V33.017, V34.014, V35.013, V36.011
  • ControlLogix 5580 Process: Versions prior to V33.017, V34.014, V35.013, V36.011
  • GuardLogix 5580: Versions prior to V33.017, V34.014, V35.013, V36.011
  • CompactLogix 5380: Versions prior to V33.017, V34.014, V35.013, V36.011
  • Compact GuardLogix 5380 SIL 2: Versions prior to V33.017, V34.014, V35.013, V36.011
  • Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011
  • CompactLogix 5480: Versions prior to V33.017, V34.014, V35.013, V36.011
  • FactoryTalk Logix Echo: Versions prior to V33.017, V34.014, V35.013, V36.011
3.2 Vulnerability Overview 3.2.1 Improper Input Validation CWE-20

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability, a malicious user must chain this exploit with CVE 2021-22681 and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.

CVE-2024-6207 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6207. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Trevor Flynn reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automations recommends users update to V33.017, V34.014, V35.013, or V36.011.

Additionally, Rockwell automation encourages users to apply security best practices to minimize the risk of vulnerability.

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Rockwell Automation Verve Asset Manager

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: Verve Asset Manager
  • Vulnerability: Placement of User into Incorrect Group
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized user to access previous data they should no longer have access to.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Verve Asset Manager are affected:

  • Verve Asset Manager: Versions prior to 1.38
3.2 Vulnerability Overview 3.2.1 Placement of User into Incorrect Group CWE-842

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously had but should no longer have access to.

CVE-2024-9412 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9412. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Water and Wastewater Systems, Healthcare and Public Health, and Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has addressed this issue in version 1.38 and encourages users to update to the newest available version.

Rockwell Automation encourages users of the affected software to apply risk mitigations, if possible. Additionally, they encourage users to implement suggested security best practices to minimize the risk of vulnerability:

  • The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.
  • Security Best Practices

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Schneider Electric Zelio Soft 2

1 month 3 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 7.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Zelio Soft 2
  • Vulnerabilities: Use After Free, Improper Input Validation
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve arbitrary code execution, cause a denial-of-service condition, or loss of confidentiality and integrity.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric Zelio Soft 2 are affected:

  • Zelio Soft 2: Versions prior to 5.4.2.2
3.2 Vulnerability Overview 3.2.1 USE AFTER FREE CWE-416

A Use After Free vulnerability exists that could cause arbitrary code execution, denial-of-service and loss of confidentiality & integrity if an application user opens a malicious Zelio Soft 2 project file.

CVE-2024-8422 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

An Improper Input Validation vulnerability exists that could cause a crash of the Zelio Soft 2 application if a specially crafted project file is loaded by an application user.

CVE-2024-8518 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

rgod working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric recommends that users update to Version 5.4.2.2. It can be updated through the Schneider Electric Software Update (SESU) application and is also available for download here.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens RUGGEDCOM APE1808

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 6.0
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: RUGGEDCOM APE1808
  • Vulnerability: Incorrect Authorization
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a limited denial-of-service condition, data loss, or information disclosure.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens products with Nozomi Guardian / CMC before 24.3.1 are affected:

  • RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0): All versions
  • RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1): All versions
3.2 Vulnerability Overview 3.2.1 INCORRECT AUTHORIZATION CWE-863

An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited denial-of-service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.

CVE-2024-4465 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Upgrade Nozomi Guardian / CMC to V24.3.1. Contact customer support to receive patch and update information.
  • Restrict access to the affected components to trusted personnel.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-254396 in HTML and CSAF.

Nozomi provides a public RSS feed for their security alerts to which
users can subscribe.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens HiMed Cockpit

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: HiMed Cockpit
  • Vulnerability: Improper Protection of Alternate Path
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escape the restricted environment and gain access to the underlying operating system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens HiMed Cockpit, a multimedia terminal, are affected:

  • HiMed Cockpit 12 pro (J31032-K2017-H259): Versions V11.5.1 up to but not including V11.6.2
  • HiMed Cockpit 14 pro+ (J31032-K2017-H435): Versions V11.5.1 up to but not including V11.6.2
  • HiMed Cockpit 18 pro (J31032-K2017-H260): Versions V11.5.1 up to but not including V11.6.2
  • HiMed Cockpit 18 pro+ (J31032-K2017-H436): Versions V11.5.1 up to but not including V11.6.2
3.2 Vulnerability Overview 3.2.1 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424

The Kiosk Mode of the affected devices contains a restricted desktop environment escape vulnerability. This could allow an unauthenticated local attacker to escape the restricted environment and gain access to the underlying operating system.

CVE-2023-52952 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2023-52952. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Tamay Caliskan reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • HiMed Cockpit 12 pro (J31032-K2017-H259): Update to V11.6.2 or later version
  • HiMed Cockpit 14 pro+ (J31032-K2017-H435): Update to V11.6.2 or later version
  • HiMed Cockpit 18 pro (J31032-K2017-H260): Update to V11.6.2 or later version
  • HiMed Cockpit 18 pro+ (J31032-K2017-H436): Update to V11.6.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-540493 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens Simcenter Nastran

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 7.3
  • ATTENTION: Low Attack Complexity
  • Vendor: Siemens
  • Equipment: Simcenter Nastran
  • Vulnerabilities: Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following versions of Simcenter Nastran finite element method (FEM) solver are affected:

  • Simcenter Nastran 2306: All versions
  • Simcenter Nastran 2312: All versions
  • Simcenter Nastran 2406: Versions prior to V2406.5000
3.2 Vulnerability Overview 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

Simcenter Nastran is vulnerable to heap-based buffer overflow while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-41981 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41981. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

Simcenter Nastran is vulnerable to memory corruption while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-47046 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47046. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has released a new version for Simcenter Nastran 2406 and recommends updating to V2406.5000 or later version. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Do not open untrusted BDF files in the affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-852501 in HTML and CSAF.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens JT2Go

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 7.3
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: JT2Go
  • Vulnerability: Stack-based Buffer Overflow
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens JT2Go, a 3D viewing tool, are affected:

  • JT2Go: All versions prior to V2406.0003
3.2 Vulnerability Overview 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected application contains a stack-based buffer overflow vulnerability that could be triggered while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-41902 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41902. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

  • Do not open untrusted PDF files in affected applications
  • Remove the PDFJTExtractor.exe from the installation in the affected application

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-626178 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens SENTRON PAC3200 Devices

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SENTRON 7KM PAC3200
  • Vulnerability: Improper Authentication
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access clear text communication.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens SENTRON PAC3200 devices are affected:

  • SENTRON 7KM PAC3200: All versions
3.2 Vulnerability Overview 3.2.1 IMPROPER AUTHENTICATION CWE-287

Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus TCP interface. Attackers with access to the Modbus TCP interface could easily bypass this protection by brute-force attacks or by sniffing the Modbus clear text communication.

CVE-2024-41798 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41798. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Michael Messner from Siemens Energy reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SENTRON 7KM PAC3200: Currently no fix is planned
  • Consider the PIN as protection against unauthorized operation (i.e., protection against inadvertent operating errors), not as protection against malicious access attempts, such as through brute-force attacks; for details see the FAQ article at https://support.industry.siemens.com/cs/ww/en/view/109975235/

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-850560 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens SIMATIC S7-1500 and S7-1200 CPUs

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 5.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC S7-1500 and S7-1200 CPUs
  • Vulnerability: Open Redirect
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to make the web server of affected devices redirect a legitimate user to an attacker-chosen URL.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following SIMATIC S7-1500 and S7-1200 CPUs are affected:

  • SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions prior to V3.1.4
  • SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions prior to V3.1.4
  • SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): all versions
  • SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): all versions
  • SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): all versions
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): all versions
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): all versions
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): all versions
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): all versions
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): all versions
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): all versions
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): all versions
  • SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): versions prior to V3.1.4
  • SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): all versions
  • SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): all versions
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): all versions
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): all versions
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): all versions
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): all versions
  • SIMATIC S7-1500 Software Controller CPU 1507S F V2: all versions
  • SIMATIC S7-1500 Software Controller CPU 1507S F V3: all versions
  • SIMATIC S7-1500 Software Controller CPU 1507S V2: all versions
  • SIMATIC S7-1500 Software Controller CPU 1507S V3: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S F V2: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S F V3: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S T V3: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S TF V3: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S V2: all versions
  • SIMATIC S7-1500 Software Controller CPU 1508S V3: all versions
  • SIMATIC S7-1500 Software Controller Linux V2: all versions
  • SIMATIC S7-1500 Software Controller Linux V3: all versions
  • SIMATIC S7-PLCSIM Advanced: all versions
  • SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): all versions
  • SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): all versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): all versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): all versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): all versions
  • SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): all versions
  • SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): all versions
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): all versions
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): all versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): all versions
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): all versions
  • SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): all versions
  • SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): all versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): all versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): all versions
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): all versions
  • SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): versions prior to V3.1.4
  • SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): all versions
  • SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): versions prior to V3.1.4
3.2 Vulnerability Overview 3.2.1 URL REDIRECTION TO UNTRUSTED SITE ('OPEN REDIRECT') CWE-601

The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

CVE-2024-46886 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).

A CVSS v4 score has also been calculated forCVE-2024-46886. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available:

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • All affected products: Do not click on links from unknown sources.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-876787 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens SINEC Security Monitor

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SINEC Security Monitor
  • Vulnerabilities: Argument Injection, Command Injection, Path Traversal, Permissive List of Allowed Inputs
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, execute privileged commands, or compromise the integrity of the configuration of the affected application.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens SINEC Security Monitor, a modular cyber security software, are affected:

  • SINEC Security Monitor: All versions prior to V4.9.0
3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND('ARGUMENT INJECTION') CWE-88

The affected application does not properly validate user input to the ssmctl-client command. This could allow an authenticated, lowly privileged remote attacker to execute arbitrary code with root privileges on the underlying OS.

CVE-2024-47553 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47553. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

The affected application does not properly neutralize special elements in user input to the ssmctl-client command. This could allow an authenticated, lowly privileged local attacker to execute privileged commands in the underlying OS.

CVE-2024-47562 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47562. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The affected application does not properly validate a file path that is supplied to an endpoint intended to create CSR files. This could allow an unauthenticated remote attacker to create files in writable directories outside the intended location and thus compromise integrity of files in those writable directories.

CVE-2024-47563 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47563. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.4 PERMISSIVE LIST OF ALLOWED INPUTS CWE-183

The affected application does not properly validate that user input complies with a list of allowed values. This could allow an authenticated remote attacker to compromise the integrity of the configuration of the affected application.

CVE-2024-47565 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47565. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SINEC Security Monitor: Update to V4.9.0 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-430425 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens Teamcenter Visualization and JT2Go

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 7.3
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: Teamcenter Visualization and JT2Go
  • Vulnerabilities: Stack-based Buffer Overflow, NULL Pointer Dereference
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the application or perform arbitrary code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens Teamcenter Visualization and JT2Go are affected:

  • JT2Go: All versions prior to V2406.0003
  • Teamcenter Visualization V14.2: All versions prior to V14.2.0.13
  • Teamcenter Visualization V14.3: All versions prior to V14.3.0.11
  • Teamcenter Visualization V2312: All versions prior to V2312.0008
  • Teamcenter Visualization V2406: All versions prior to V2406.0003
3.2 Vulnerability Overview 3.2.1 NULL POINTER DEREFERENCE CWE-476

The affected applications contain a null pointer dereference vulnerability while parsing specially crafted XML files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.

CVE-2024-37996 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37996. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack-based overflow vulnerability while parsing specially crafted XML files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-37997 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37997. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • JT2Go: Update to V2406.0003 or later version
  • Teamcenter Visualization V14.2: Update to V14.2.0.13 or later version
  • Teamcenter Visualization V14.3: Update to V14.3.0.11 or later version
  • Teamcenter Visualization V2312: Update to V2312.0008 or later version
  • Teamcenter Visualization V2406: Update to V2406.0003 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

  • CVE-2024-37996, CVE-2024-37997: Do not open untrusted XML files in affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-959281 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Siemens Questa and ModelSim

1 month 3 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 5.4
  • ATTENTION: Exploitable locally
  • Vendor: Siemens
  • Equipment: Questa and ModelSim
  • Vulnerabilities: Uncontrolled Search Path Element
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject arbitrary code and escalate privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Siemens Questa and ModelSim are affected:

  • ModelSim: All versions prior to V2024.3
  • Questa: All versions prior to V2024.3
3.2 Vulnerability Overview 3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

vish2.exe in affected applications allows a specific DLL file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vish2.exe from a user-writable directory.

CVE-2024-47194 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47194. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

gdb.exe in affected applications allows a specific executable file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch gdb.exe from a user-writable directory.

CVE-2024-47195 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47195. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

vsimk.exe in affected applications allows a specific tcl file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vsimk.exe from a user-writable directory.

CVE-2024-47196 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47196. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

ycdxsb reported these vulnerabilities to Siemens. Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • ModelSim: Update to V2024.3 or later version
  • Questa: Update to V2024.3 or later version
  • Harden the application server to prevent local access by untrusted personnel

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-426509 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY
  • October 10, 2024: Initial Publication
CISA

Subnet Solutions Inc. PowerSYSTEM Center

2 months ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Subnet Solutions Inc.
  • Equipment: PowerSYSTEM Center
  • Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF)
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of PowerSYSTEM Center are affected:

  • PowerSYSTEM Center: PSC 2020 v5.21.x and prior
3.2 Vulnerability Overview 3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2020-28168 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Vulnerable versions of PowerSYSTEM Center utilize Axios, which is vulnerable to Inefficient Regular Expression Complexity.

CVE-2021-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Vulnerable versions of PowerSYSTEM Center utilize Axios 1.5.1, which can inadvertently reveal the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, allowing attackers to view sensitive information.

CVE-2023-45857 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada
3.4 RESEARCHER

Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions Inc. recommends users update to PowerSYSTEM Center 2020 Update 22, which can be located in the PowerSYSTEM Center by accessing Settings > Overview > Version. Users may also contact Subnet Solution's Customer Service.

Subnet Solutions Inc. strongly recommends users update to the latest version. If this is not possible, the following paragraphs describe the security control compensation(s), mitigation(s), or workaround(s) available for identified vulnerabilities:

  • For all vulnerabilities, users can disable usage of previous UI extensions.
  • For CVE-2020-28168 and CVE-2023-45857, users can limit outbound connection requests from the PowerSYSTEM Center security zone to external websites.
  • For CVE-2023-45857 and CVE-2021-3749, users can disable PowerSYSTEM Center Client Access Server user's ability to access the browser's F12 Developer Tools to limit user ability to see HTTP headers and corresponding XSRF-TOKEN, and to manipulate requests to the PowerSYSTEM Center website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 3, 2024: Initial Publication
CISA

TEM Opera Plus FM Family Transmitter

2 months ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
  • Vendor: TEM
  • Equipment: Opera Plus FM Family Transmitter
  • Vulnerabilities: Missing Authentication for Critical Function, Cross-Site Request Forgery (CSRF)
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of TEM Opera Plus FM Family Transmitter, a FM Transmitter, are affected:

  • Opera Plus FM Family Transmitter: Version 35.45
3.2 Vulnerability Overview 3.2.1 Missing Authentication for Critical Function CWE-306

TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.

CVE-2024-41988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Cross-Site Request Forgery (CSRF) CWE-352

The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2024-41987 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41987. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Italy
3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to TEM.

4. MITIGATIONS

TEM has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact TEM for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 03, 2024: Initial Publication
CISA