Skip to main content
(844) 422-7000

Siemens SINEMA Remote Connect Server

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Server
Vulnerabilities: Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated local attacker to execute arbitrary code with system privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following versions of SINEMA Remote Connect management platform are affected:

SINEMA Remote Connect Client: versions prior to V3.2 HF1

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an authenticated local attacker to execute arbitrary code with system privileges.

CVE-2024-39567 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39567. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading proxy configurations. This could allow an authenticated local attacker to execute arbitrary code with system privileges.

CVE-2024-39568 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39568. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an administrative remote attacker running a corresponding SINEMA Remote Connect Server to execute arbitrary code with system privileges on the client system.

CVE-2024-39569 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39569. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released a new version for SINEMA Remote Connect Client and recommends updating to version (V3.2 HF1 or later.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-868282 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Rockwell Automation ThinManager ThinServer

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager ThinServer

Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The vulnerabilities exist in the following versions of ThinManger ThinServer:

ThinManager ThinServer: Versions 11.1.0, 11.2.0, 12.0.0, 12.1.0, 13.0.0, 13.1.0, 13.2.0 (CVE-2024-5988, CVE-2024-5989)
ThinManager ThinServer: Versions 11.1.0, 11.2.0, 12.0.0, 12.1.0, 13.0.0, 13.1.0 (CVE-2024-5990)

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.

CVE-2024-5988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.

CVE-2024-5989 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5989. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer and cause a denial-of-service condition on the affected device.

CVE-2024-5990 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5990. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has corrected the reported vulnerabilities in the following versions available at the ThinManager download site:
11.1.8, 11.2.9 12.0.7, 12.1.8, 13.0.5, 13.1.3, 13.2.2

Rockwell Automation recommends users of the affected software to apply the risk mitigations from the list below. Users are also recommended to implement Rockwell Automation’s suggested security best practices to minimize the potential risk of vulnerability.

Update to the corrected software versions via the ThinManager Downloads Site
Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Siemens TIA Portal and SIMATIC STEP 7

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: TIA Portal and SIMATIC STEP 7
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary
code within the affected application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Totally Integrated Automation Portal (TIA Portal): All versions
Totally Integrated Automation Portal (TIA Portal) V18: All versions
SIMATIC STEP 7 Safety V18: All versions

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable
input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/enus/visualstudio/code-quality/ca2300.

CVE-2023-32737 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-32737. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Totally Integrated Automation Portal (TIA Portal): Update to V18 Update 2 or later version
Totally Integrated Automation Portal (TIA Portal) V18: Update to V18 Update 2 or later version
SIMATIC STEP 7 Safety V18: Update to V18 Update 2 or later version
Avoid uploading PLC software from untrusted devices or MMC cards

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-313039 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Siemens RUGGEDCOM

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM
Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Incorrect Privilege Assignment, Exposure of Sensitive System Information to an Unauthorized Control Sphere

2. RISK EVALUATION

Successful exploitation could allow an attacker to obtain user credentials, the MACSEC key, or create a remote shell to the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

RUGGEDCOM i800: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i800NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i801: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i801NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i802: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i802NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i803: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM i803NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M969: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M969NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M2100: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M2100NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M2200: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM M2200NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RMC30: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RMC30NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RMC8388 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RMC8388 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RMC8388NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RMC8388NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RP110: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RP110NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS400: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS400NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS401: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS401NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416NCv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416NCv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
RUGGEDCOM RS416P: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416PNC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416PNCv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416PNCv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
RUGGEDCOM RS416Pv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416Pv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
RUGGEDCOM RS416v2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS416v2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
RUGGEDCOM RS900: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900 (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900 (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RS900G: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900G (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900G (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RS900GNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900GNC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900GNC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RS900GP: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900GPNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900L: All versions (CVE-2023-52237)
RUGGEDCOM RS900LNC: All versions (CVE-2023-52237)
RUGGEDCOM RS900M-GETS-C01: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900M-GETS-XX: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900M-STND-C01: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900M-STND-XX: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900MNC-GETS-C01: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900MNC-GETS-XX: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900MNC-STND-XX: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900MNC-STND-XX-C01: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900NC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS900NC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RS900W: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS910: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS910L: All versions (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS910LNC: All versions (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS910NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS910W: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS920L: All versions (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS920LNC: All versions (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS920W: All versions (CVE-2023-52237, CVE-2024-39675)
RUGGEDCOM RS930L: All versions (CVE-2023-52237)
RUGGEDCOM RS930LNC: All versions (CVE-2023-52237)
RUGGEDCOM RS930W: All versions (CVE-2023-52237)
RUGGEDCOM RS940G: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS940GNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS969: All versions (CVE-2023-52237)
RUGGEDCOM RS969NC: All versions (CVE-2023-52237)
RUGGEDCOM RS1600: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS1600F: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS1600FNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS1600NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS1600T: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS1600TNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000A: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000ANC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000H: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000HNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000T: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RS8000TNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG907R: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG908C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG909R: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG910C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG920P V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG920P V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG920PNC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG920PNC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2100: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2100 (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2100 (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2100NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2100NC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2100NC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2100P: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2100PNC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2200: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2200NC: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2288 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2288 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2288NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2288NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2300 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2300 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2300NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2300NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2300P V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2300P V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2300PNC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2300PNC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2488 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2488 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSG2488NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
RUGGEDCOM RSG2488NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSL910: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RSL910NC: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RST916C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RST916P: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
RUGGEDCOM RST2228: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2023-52238, CVE-2024-38278)
RUGGEDCOM RST2228P: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2023-52238, CVE-2024-38278)

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The web server of the affected devices allow a low privileged user to access hashes and password salts of all system’s users, including admin users. An attacker could use the obtained information to brute force the passwords offline.

CVE-2023-52237 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-52237. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The web server of the affected systems leaks the MACSEC key in clear text to a logged in user. An attacker with the credentials of a low privileged user could retrieve the MACSEC key and access (decrypt) the ethernet frames sent by authorized recipients.

CVE-2023-52238 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-52238. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The affected products with IP forwarding enabled wrongly make available certain remote services in non-managed VLANs, even if these services are not intentionally activated. An attacker could leverage this vulnerability to create a remote shell to the affected system.

CVE-2024-38278 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38278. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

In some configurations, the affected products wrongly enable the Modbus service in non-managed VLANS. Only serial devices are affected by this vulnerability.

CVE-2024-39675 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38278. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Stephen Craven reported these vulnerabilities to Siemens.
Thomas Riedmaier from Siemens Energy reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has prepared fixed versions and recommends countermeasures for products where fixes are not available.

(CVE-2024-39675) RUGGEDCOM RMC30, RUGGEDCOM RP110, RUGGEDCOM RS400, RUGGEDCOM RS401, RUGGEDCOM RS416, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS910, RUGGEDCOM RS910W, RUGGEDCOM RMC30NC, RUGGEDCOM RP110NC, RUGGEDCOM RS400NC, RUGGEDCOM RS401NC, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS910NC: Update to V4.3.10 or later version
(CVE-2024-39675) RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X: Update to V5.9.0 or later version
(CVE-2023-52237) RUGGEDCOM i800, RUGGEDCOM i801, RUGGEDCOM i802, RUGGEDCOM i803, RUGGEDCOM M2100, RUGGEDCOM M2200, RUGGEDCOM M969, RUGGEDCOM RMC30, RUGGEDCOM RMC8388 V4.X, RUGGEDCOM RP110, RUGGEDCOM RS1600, RUGGEDCOM RS1600F, RUGGEDCOM RS1600T, RUGGEDCOM RS400, RUGGEDCOM RS401, RUGGEDCOM RS416, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS8000, RUGGEDCOM RS8000A, RUGGEDCOM RS8000H, RUGGEDCOM RS8000T, RUGGEDCOM RS900, RUGGEDCOM RS900 (32M) V4.X, RUGGEDCOM RS900G, RUGGEDCOM RS900G (32M) V4.X, RUGGEDCOM RS900GP, RUGGEDCOM RS900W, RUGGEDCOM RS910, RUGGEDCOM RS910W, RUGGEDCOM RS940G, RUGGEDCOM RSG2100, RUGGEDCOM RSG2100 (32M) V4.X, RUGGEDCOM RSG2100P, RUGGEDCOM RSG2200, RUGGEDCOM RSG2288 V4.X, RUGGEDCOM RSG2300 V4.X, RUGGEDCOM RSG2300P V4.X, RUGGEDCOM RSG2488 V4.X, RUGGEDCOM RSG920P V4.X, RUGGEDCOM i800NC, RUGGEDCOM i801NC, RUGGEDCOM i802NC, RUGGEDCOM i803NC, RUGGEDCOM M2100NC, RUGGEDCOM M2200NC, RUGGEDCOM M969NC, RUGGEDCOM RMC30NC, RUGGEDCOM RMC8388NC V4.X, RUGGEDCOM RP110NC, RUGGEDCOM RS1600FNC, RUGGEDCOM RS1600NC, RUGGEDCOM RS1600TNC, RUGGEDCOM RS400NC, RUGGEDCOM RS401NC, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS8000ANC, RUGGEDCOM RS8000HNC, RUGGEDCOM RS8000NC, RUGGEDCOM RS8000TNC, RUGGEDCOM RS900GNC, RUGGEDCOM RS900GNC(32M) V4.X, RUGGEDCOM RS900GPNC, RUGGEDCOM RS900M-GETS-C01, RUGGEDCOM RS900M-GETS-XX, RUGGEDCOM RS900M-STND-C01, RUGGEDCOM RS900M-STND-XX, RUGGEDCOM RS900MNC-GETS-C01, RUGGEDCOM RS900MNC-GETS-XX, RUGGEDCOM RS900MNC-STND-XX, RUGGEDCOM RS900MNC-STND-XX-C01, RUGGEDCOM RS900NC, RUGGEDCOM RS900NC(32M) V4.X, RUGGEDCOM RS910NC, RUGGEDCOM RS940GNC, RUGGEDCOM RSG2100NC, RUGGEDCOM RSG2100NC(32M) V4.X, RUGGEDCOM RSG2100PNC, RUGGEDCOM RSG2200NC, RUGGEDCOM RSG2288NC V4.X, RUGGEDCOM RSG2300NC V4.X, RUGGEDCOM RSG2300PNC V4.X, RUGGEDCOM RSG2488NC V4.X, RUGGEDCOM RSG920PNC V4.X: Update to V4.3.10 or later version
(CVE-2023-52237, CVE-2024-38278) RUGGEDCOM RMC8388 V5.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS900 (32M) V5.X, RUGGEDCOM RS900G (32M) V5.X, RUGGEDCOM RSG2100 (32M) V5.X, RUGGEDCOM RSG2288 V5.X, RUGGEDCOM RSG2300 V5.X, RUGGEDCOM RSG2300P V5.X, RUGGEDCOM RSG2488 V5.X, RUGGEDCOM RSG907R, RUGGEDCOM RSG908C, RUGGEDCOM RSG909R, RUGGEDCOM RSG910C, RUGGEDCOM RSG920P V5.X, RUGGEDCOM RSL910, RUGGEDCOM RST2228, RUGGEDCOM RST2228P, RUGGEDCOM RST916C, RUGGEDCOM RST916P, RUGGEDCOM RMC8388NC V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS900GNC(32M) V5.X, RUGGEDCOM RS900NC(32M) V5.X, RUGGEDCOM RSG2100NC(32M) V5.X, RUGGEDCOM RSG2288NC V5.X, RUGGEDCOM RSG2300NC V5.X, RUGGEDCOM RSG2300PNC V5.X, RUGGEDCOM RSG2488NC V5.X, RUGGEDCOM RSG920PNC V5.X, RUGGEDCOM RSL910NC: Update to V5.9.0 or later version
(CVE-2023-52238) RUGGEDCOM RST2228, RUGGEDCOM RST2228P: Update to V5.9.0 or later version
(CVE-2024-39675) RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W: Currently no fix is planned
(CVE-2023-52237) RUGGEDCOM RS900L, RUGGEDCOM RS900LNC, RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W, RUGGEDCOM RS930L, RUGGEDCOM RS930LNC, RUGGEDCOM RS930W, RUGGEDCOM RS969, RUGGEDCOM RS969NC: Currently no fix is planned

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2023-52237, CVE-2023-52238) Disable the webserver if not required on the affected systems. Restrict the access to Port 80/tcp and 443/tcp to trusted IP address only
(CVE-2024-38278) RUGGEDCOM RMC8388 V5.X, RUGGEDCOM RMC8388NC V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS900 (32M) V5.X, RUGGEDCOM RS900G (32M) V5.X, RUGGEDCOM RS900GNC(32M) V5.X, RUGGEDCOM RS900NC(32M) V5.X, RUGGEDCOM RSG2100 (32M) V5.X, RUGGEDCOM RSG2100NC(32M) V5.X, RUGGEDCOM RSG2288 V5.X, RUGGEDCOM RSG2288NC V5.X, RUGGEDCOM RSG2300 V5.X, RUGGEDCOM RSG2300NC V5.X, RUGGEDCOM RSG2300P V5.X, RUGGEDCOM RSG2300PNC V5.X, RUGGEDCOM RSG2488 V5.X, RUGGEDCOM RSG2488NC V5.X, RUGGEDCOM RSG907R, RUGGEDCOM RSG908C, RUGGEDCOM RSG909R, RUGGEDCOM RSG910C, RUGGEDCOM RSG920P V5.X, RUGGEDCOM RSG920PNC V5.X, RUGGEDCOM RSL910, RUGGEDCOM RSL910NC, RUGGEDCOM RST2228, RUGGEDCOM RST2228P, RUGGEDCOM RST916C, RUGGEDCOM RST916P: For CVE-2024-38278: Disable the IP Forwarding if not required on the affected system. Also note, the IP forwarding is disabled by default
(CVE-2024-39675) RUGGEDCOM RMC30, RUGGEDCOM RMC30NC, RUGGEDCOM RP110, RUGGEDCOM RP110NC, RUGGEDCOM RS400, RUGGEDCOM RS400NC, RUGGEDCOM RS401, RUGGEDCOM RS401NC, RUGGEDCOM RS416, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS910, RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS910NC, RUGGEDCOM RS910W, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W: Disable the Modbus Server if not required on the affected system. Restrict the access to Port 502/tcp to trusted IP address only. Also note, Modbus is disabled by default

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-170375 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Siemens SINEMA Remote Connect Server

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Server
Vulnerabilities: Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary code with root privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

SINEMA Remote Connect Server: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Affected applications are vulnerable to command injection due to missing server side input sanitation when loading VxLAN configurations. This could allow an authenticated attacker to execute arbitrary code with root privileges.

CVE-2024-39570 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39570. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Affected applications are vulnerable to command injection due to missing server side input sanitation when loading SNMP configurations. This could allow an attacker with the right to modify the SNMP configuration to execute arbitrary code with root privileges.

CVE-2024-39571 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39571. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users to update to the latest version:

SINEMA Remote Connect Server: Update to V3.2 HF1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-928781 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Siemens Teamcenter Visualization and JT2Go

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Teamcenter Visualization, JT2Go
Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siemens JT2Go: Versions prior to v14.3.0.8
Siemens Teamcenter Visualization V14.1: Versions prior to v14.1.0.14
Siemens Teamcenter Visualization V14.2: Versions prior to v14.2.0.10
Siemens Teamcenter Visualization V14.3: Versions prior to v14.3.0.8
Siemens Teamcenter Visualization V2312: Versions prior to v2312.0002

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-7066 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

MoyunSec reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends users update the follow products to the latest versions:

Teamcenter Visualization V14.1: Update to V14.1.0.14 or later version
Teamcenter Visualization V14.2: Update to V14.2.0.10 or later version
JT2Go: Update to V14.3.0.8 or later version
Teamcenter Visualization V14.3: Update to V14.3.0.8 or later version
Teamcenter Visualization V2312: Update to V2312.0002 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Do not open untrusted PDF files in affected applications.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-722010 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

July 11, 2024: Initial Publication

Johnson Controls Software House C●CURE 9000

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Johnson Controls, Inc.
Equipment: Software House C●CURE 9000
Vulnerability: Use of Weak Credentials

2. RISK EVALUATION

Successful exploitations of this vulnerability could allow an attacker to gain administrative access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls products are affected:

Software House C●CURE 9000: Version 2.80 and prior

3.2 Vulnerability Overview

3.2.1 USE OF WEAK CREDENTIALS CWE-1391

Under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials.

CVE-2024-32759 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32759. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends the following:

Update Software House C●CURE 9000 to at least version 2.90
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-12 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

July 9, 2024: Initial Publication

Johnson Controls Software House C●CURE 9000

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.7
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Johnson Controls Inc.
Equipment: Software House C●CURE 9000
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to access credentials used for access to the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls products are affected:

Software House C●CURE 9000 Site Server: Version 3.00.3 and prior

3.2 Vulnerability Overview

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

Under certain circumstances the Software House C●CURE 9000 Site Server provides insufficient protection of directories containing executables.

CVE-2024-32861 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32861. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends the following:

Remove write permissions from C:CouchDBbin folder within Software House C●CURE 9000 Site Server for non-administrators.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-11 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

July 9, 2024: Initial Publication

Delta Electronics CNCSoft-G2

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-G2
Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Write, Out-of-bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a buffer overflow condition and allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

CNCSoft-G2: Version 2.0.0.5

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39880 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39880. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a memory corruption condition. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39881 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39881. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS READ CWE-125

Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39882 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39882. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39883 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39883. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Bobby Gould and Fritz Sands of Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 V2.1.0.10 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

July 09, 2024: Initial Publication

Johnson Controls Illustra Pro Gen 4

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: Illustra Pro Gen 4
Vulnerability: Dependency on Vulnerable Third-Party Component

2. RISK EVALUATION

Successful exploitation of this vulnerability could impact confidentiality and integrity of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Pro Gen 4 Camera are affected:

Illustra Pro Gen 4 Camera: Version SS016.05.03.01.0010 and prior

3.2 Vulnerability Overview

3.2.1 Dependency on Vulnerable Third-Party Component CWE-1395

Under certain circumstances the camera may be susceptible to known vulnerabilities associated with JQuery versions prior to 3.5.0 third-party component

CVE-2024-32753 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-32753. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls, Inc. reported this vulnerability to CISA

4. MITIGATIONS

Johnson Controls recommends that users update Illustra Pro Gen 4 camera to version SS016.24.03.00.0007 . For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-05 v1

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

July 09, 2024: Initial Publication