Posts Page - CloudCentric

Siemens Siveillance Video Camera

Written by on October 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Exploitable from an adjacent network
Vendor: Siemens
Equipment: Siveillance Video Camera
Vulnerability: Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Siveillance Video Camera are affected:

Siveillance Video Camera: All versions prior to V13.2

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A possible buffer overflow in selected cameras’ drivers from XProtect Device Pack can allow an attacker with access to internal network to execute commands on Recording Server under strict conditions.

CVE-2024-3506 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-3506. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Milestone PSIRT reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Siveillance Video Camera: Update to V13.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-438590 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 15, 2024: Initial Publication

Schneider Electric Data Center Expert

Written by on October 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Data Center Expert
Vulnerability: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access private data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following versions of Data Center Expert, a monitoring software, are affected:

Data Center Expert: Versions 8.1.1.3 and prior

3.2 Vulnerability Overview

3.2.1 Improper Verification of Cryptographic Signature CWE-347

An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.

CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8531. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Missing Authentication for Critical Function CWE-306

A missing authentication for critical function vulnerability exists in Data Center Expert software that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS.

CVE-2024-8530 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-8530. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Anonymous working with Trend Micro Zero Day Initiative reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Version 8.2 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and evaluating the impact of these patches in a test and development environment or on an offline infrastructure. Contact
Schneider Electric’s Customer Care Center if you need assistance removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

Ensure that the principals of least privilege are being followed so that only those with need have account access and that the level of their respective account authorization aligns with their role, including privileged accounts as described in the Data Center Expert Security Handbook.
Verify SHA1 checksums of upgrade bundles prior to executing upgrades as described in the Upgrades section of the Data Center Expert Security Handbook.
Delete any existing “logcapture” archives present on the system and do not create any new “logcapture” archives. Existing archives can be deleted from the https://server_ip/capturelogs web page after authenticating.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For more information see the associated Schneider Electric security notification SEVD-2024-282-01 in PDF and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 15, 2024: Initial Publication

Siemens Sentron Powercenter 1000

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Sentron Powercenter 1000
Vulnerability: Improper Check for Unusual or Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SENTRON Powercenter 1000 (7KN1110-0MC00): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Prior to v7.4.0, Ember ZNet is vulnerable to a denial-of-service attack through manipulation of the NWK sequence number. For SENTRON Powercenter 1000: The product is vulnerable through the manipulation of a component sequence number, other devices/networks are not affected, only the same powercenter/network is affected. The product is vulnerable through the manipulation of a component sequence number, other
devices/networks are not affected, only the same powercenter/network is affected.

CVE-2023-6874 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-6874. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigate through physical isolation

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-340240 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Rockwell Automation Verve Asset Manager

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Verve Asset Manager
Vulnerability: Placement of User into Incorrect Group

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized user to access previous data they should no longer have access to.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Verve Asset Manager are affected:

Verve Asset Manager: Versions 1.38 and prior

3.2 Vulnerability Overview

3.2.1 Placement of User into Incorrect Group CWE-842

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously had but should no longer have access to.

CVE-2024-9412 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9412. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Water and Wastewater Systems, Healthcare and Public Health, and Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has addressed this issue in version 1.38 and encourages users to update to the newest available version.

Rockwell Automation encourages users of the affected software to apply risk mitigations, if possible. Additionally, they encourage users to implement suggested security best practices to minimize the risk of vulnerability:

The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.
Security Best Practices

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Rockwell Automation ControlLogix

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send a specially crafted CIP message and cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

ControlLogix 5580: Versions prior to V33.017, V34.014, V35.013, V36.011
ControlLogix 5580 Process: Versions prior to V33.017, V34.014, V35.013, V36.011
GuardLogix 5580: Versions prior to V33.017, V34.014, V35.013, V36.011
CompactLogix 5380: Versions prior to V33.017, V34.014, V35.013, V36.011
Compact GuardLogix 5380 SIL 2: Versions prior to V33.017, V34.014, V35.013, V36.011
Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011
CompactLogix 5480: Versions prior to V33.017, V34.014, V35.013, V36.011
FactoryTalk Logix Echo: Versions prior to V33.017, V34.014, V35.013, V36.011

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability, a malicious user must chain this exploit with CVE 2021-22681 and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.

CVE-2024-6207 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6207. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Trevor Flynn reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automations recommends users update to V33.017, V34.014, V35.013, or V36.011.

Additionally, Rockwell automation encourages users to apply security best practices to minimize the risk of vulnerability.

Security Best Practices

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Schneider Electric Zelio Soft 2

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Zelio Soft 2
Vulnerabilities: Use After Free, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve arbitrary code execution, cause a denial-of-service condition, or loss of confidentiality and integrity.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric Zelio Soft 2 are affected:

Zelio Soft 2: Versions prior to 5.4.2.2

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

A Use After Free vulnerability exists that could cause arbitrary code execution, denial-of-service and loss of confidentiality & integrity if an application user opens a malicious Zelio Soft 2 project file.

CVE-2024-8422 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

An Improper Input Validation vulnerability exists that could cause a crash of the Zelio Soft 2 application if a specially crafted project file is loaded by an application user.

CVE-2024-8518 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

rgod working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric recommends that users update to Version 5.4.2.2. It can be updated through the Schneider Electric Software Update (SESU) application and is also available for download here.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens RUGGEDCOM APE1808

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.0
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: RUGGEDCOM APE1808
Vulnerability: Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a limited denial-of-service condition, data loss, or information disclosure.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products with Nozomi Guardian / CMC before 24.3.1 are affected:

RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0): All versions
RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1): All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT AUTHORIZATION CWE-863

An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited denial-of-service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.

CVE-2024-4465 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Upgrade Nozomi Guardian / CMC to V24.3.1. Contact customer support to receive patch and update information.
Restrict access to the affected components to trusted personnel.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-254396 in HTML and CSAF.

Nozomi provides a public RSS feed for their security alerts to which
users can subscribe.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens JT2Go

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: JT2Go
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens JT2Go, a 3D viewing tool, are affected:

JT2Go: All versions prior to V2406.0003

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected application contains a stack-based buffer overflow vulnerability that could be triggered while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-41902 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41902. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

JT2Go: Update to V2406.0003 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

Do not open untrusted PDF files in affected applications
Remove the PDFJTExtractor.exe from the installation in the affected application

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-626178 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens Simcenter Nastran

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Simcenter Nastran
Vulnerabilities: Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following versions of Simcenter Nastran finite element method (FEM) solver are affected:

Simcenter Nastran 2306: All versions
Simcenter Nastran 2312: All versions
Simcenter Nastran 2406: Versions prior to V2406.5000

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

Simcenter Nastran is vulnerable to heap-based buffer overflow while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-41981 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41981. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

Simcenter Nastran is vulnerable to memory corruption while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-47046 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47046. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has released a new version for Simcenter Nastran 2406 and recommends updating to V2406.5000 or later version. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Do not open untrusted BDF files in the affected applications

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-852501 in HTML and CSAF.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens SIMATIC S7-1500 and S7-1200 CPUs

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC S7-1500 and S7-1200 CPUs
Vulnerability: Open Redirect

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to make the web server of affected devices redirect a legitimate user to an attacker-chosen URL.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following SIMATIC S7-1500 and S7-1200 CPUs are affected:

SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions prior to V3.1.4
SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions prior to V3.1.4
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): all versions
SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): all versions
SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): all versions
SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): all versions
SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): all versions
SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): all versions
SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): all versions
SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): all versions
SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): all versions
SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): all versions
SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): all versions
SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): all versions
SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): all versions
SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): all versions
SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): all versions
SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): all versions
SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): all versions
SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): all versions
SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): all versions
SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): all versions
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): all versions
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): all versions
SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): all versions
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): all versions
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): all versions
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): all versions
SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): all versions
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): all versions
SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): all versions
SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): all versions
SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): all versions
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): all versions
SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): all versions
SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): all versions
SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): all versions
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): all versions
SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): all versions
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): all versions
SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): all versions
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): all versions
SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): all versions
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): all versions
SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): all versions
SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): all versions
SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): all versions
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): all versions
SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): all versions
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): all versions
SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): all versions
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): all versions
SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): all versions
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): all versions
SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): versions prior to V3.1.4
SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): all versions
SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): all versions
SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): all versions
SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): all versions
SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): all versions
SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): all versions
SIMATIC S7-1500 Software Controller CPU 1507S F V2: all versions
SIMATIC S7-1500 Software Controller CPU 1507S F V3: all versions
SIMATIC S7-1500 Software Controller CPU 1507S V2: all versions
SIMATIC S7-1500 Software Controller CPU 1507S V3: all versions
SIMATIC S7-1500 Software Controller CPU 1508S F V2: all versions
SIMATIC S7-1500 Software Controller CPU 1508S F V3: all versions
SIMATIC S7-1500 Software Controller CPU 1508S T V3: all versions
SIMATIC S7-1500 Software Controller CPU 1508S TF V3: all versions
SIMATIC S7-1500 Software Controller CPU 1508S V2: all versions
SIMATIC S7-1500 Software Controller CPU 1508S V3: all versions
SIMATIC S7-1500 Software Controller Linux V2: all versions
SIMATIC S7-1500 Software Controller Linux V3: all versions
SIMATIC S7-PLCSIM Advanced: all versions
SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): all versions
SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): all versions
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): all versions
SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): all versions
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): all versions
SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): all versions
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): all versions
SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): all versions
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): all versions
SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): all versions
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): all versions
SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): all versions
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): all versions
SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): all versions
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): all versions
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): all versions
SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): all versions
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): all versions
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): all versions
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): all versions
SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): all versions
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): all versions
SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): all versions
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): all versions
SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): all versions
SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): all versions
SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): all versions
SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): all versions
SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): all versions
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): all versions
SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): all versions
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): all versions
SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): all versions
SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): versions prior to V3.1.4
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): all versions
SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): versions prior to V3.1.4

3.2 Vulnerability Overview

3.2.1 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

CVE-2024-46886 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).

A CVSS v4 score has also been calculated forCVE-2024-46886. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available:

SIMATIC Drive Controller CPU: Update to V3.1.4 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Do not click on links from unknown sources.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-876787 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication