As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: COMOS
Vulnerabilities: Out-of-bounds Write, Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens COMOS, a unified data platform, are affected:

COMOS: All versions prior to V10.5

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2023-5180 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

Open Design Alliance Drawings SDK (versions before 2024.1) contains a use-after-free vulnerability that could be triggered while parsing specially crafted DWG file. An attacker could leverage this in conjunction with other vulnerabilities to execute arbitrary code.

CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users update to the latest version:

Update to V10.5 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

CVE-2023-5180, CVE-2023-26495: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-659443 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.8
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: INTRALOG WMS
Vulnerabilities: Cleartext Transmission of Sensitive Information, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation could allow an unauthenticated attacker located in the INTRALOG WMS network to decrypt and modify client-server communication, or potentially execute arbitrary code on the application servers.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Siemens INTRALOG WMS, are affected:

Siemens INTRALOG WMS: Versions prior to V4

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0056 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-0056. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2024-30045 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-30045. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

INTRALOG WMS: Update to V4 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-417547 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: LOGO! V8.3 BM Devices
Vulnerability: Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with physical access to an affected device to extract user-set passwords from an embedded storage IC.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siemens LOGO! 12/24RCE (6ED1052-1MD08-0BA1): All versions
Siemens LOGO! 12/24RCEo (6ED1052-2MD08-0BA1): All versions
Siemens LOGO! 24CE (6ED1052-1CC08-0BA1): All versions
Siemens LOGO! 24CEo (6ED1052-2CC08-0BA1): All versions
Siemens LOGO! 24RCE (6ED1052-1HB08-0BA1): All versions
Siemens LOGO! 24RCEo (6ED1052-2HB08-0BA1): All versions
Siemens LOGO! 230RCE (6ED1052-1FB08-0BA1): All versions
Siemens LOGO! 230RCEo (6ED1052-2FB08-0BA1): All versions
Siemens SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1): All versions
Siemens SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1): All versions
Siemens SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1): All versions
Siemens SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1): All versions
Siemens SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1): All versions
Siemens SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1): All versions
Siemens SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1): All versions
Siemens SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1): All versions

3.2 Vulnerability Overview

3.2.1 PLAINTEXT STORAGE OF A PASSWORD CWE-256

Affected devices store user passwords in plaintext without proper protection. This could allow a physical attacker to retrieve them from the embedded storage ICs.

CVE-2024-39922 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-39922. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Currently no fix is planned
Ensure the physical security of the affected devices to prevent unauthorized access (also see the operational guidelines for Industrial Security, especially: “Plant security: Physical prevention of access to critical components”)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-921449 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Location Intelligence
Vulnerabilities: Inadequate Encryption Strength, Improper Restriction of Excessive Authentication Attempts, Weak Password Requirements

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read and modify data passed over the connection between legitimate clients and the affected product or brute force user passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Location Intelligence, a web-based application software, are affected:

Location Intelligence: All versions prior to V4.4

3.2 Vulnerability Overview

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326

The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.

CVE-2024-41681 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41681. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

Affected products do not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated remote attacker to conduct brute force attacks against legitimate user passwords.

CVE-2024-41682 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41682. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 WEAK PASSWORD REQUIREMENTS CWE-521

Affected products do not properly enforce a strong user password policy. This could facilitate a brute force attack against legitimate user passwords.

CVE-2024-41683 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41683. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users update to the latest version:

Update to V4.4 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-720392 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: Historian Server
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to get read and write access to the database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA Historian Server, a Process database, are affected:

Historian Server: Version 2023 R2
Historian Server: Versions 2023 to 2023 P03
Historian Server: Versions 2020 to 2020 R2 SP1 P01

3.2 Vulnerability Overview

3.2.1 CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL.

CVE-2024-6456 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-6456. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Maurizio Gatti from Accenture S.p.A reported this vulnerability to AVEVA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates as soon as possible.

AVEVA recommends Historian is upgraded by AVEVA System Platform media:

(Recommended) All affected versions can be fixed by upgrading to AVEVA System Platform 2023 R2 P01
(Alternative 1) Historian 2023 through 2023 P03 can be fixed by upgrading to AVEVA System Platform 2023 P04
(Alternative 2) Historian 2020 R2 through 2020 R2 SP1 P01 can be fixed by first upgrading to AVEVA System Platform 2020 R2 SP1 P01 and then applying Hotfix 3190476. Please contact AVEVA Global Customer Support for instructions on how to download and apply this security fix.

AVEVA also recommends the following general defensive measures:

Establish procedures for Historian REST Interface users to verify the source of URLs shared with them is trusted before opening.

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support. If you discover errors or omissions in this advisory, please report the finding to Support.

For the latest AVEVA security information and security updates, please visit AVEVA Security Central.

Aveva recommends users looking for general information regarding how to secure Industrial Control Systems reference the NIST Guide to Operational Technology (OT) Security, NIST SP800-82r3.

For more information, see AVEVA’s Security Bulletin AVEVA-2024-005.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEC Traffic Analyzer
Vulnerabilities: Improper Privilege Management, Improper Restriction of Excessive Authentication Attempts, Improper Access Control, Use of Cache Containing Sensitive Information, Improperly Implemented Security Check for Standard

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption, conduct brute force attacks against legitimate user credentials or keys, get access to sensitive information, read and modify data stored in the local cache, or make the servers more prone to clickjacking attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siemens SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): versions prior to V2.0

3.2 Vulnerability Overview

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

The affected application mounts the container’s root filesystem with read and write privileges. This could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption.

CVE-2024-41903 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41903. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected application does not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated attacker to conduct brute force attacks against legitimate user credentials or keys.

CVE-2024-41904 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41904. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

The affected application does not have access control for accessing the files. This could allow an authenticated attacker with low privileges to get access to sensitive information.

CVE-2024-41905 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41905. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 USE OF CACHE CONTAINING SENSITIVE INFORMATION CWE-524

The affected application does not properly handle cacheable HTTP responses in the web service. This could allow an attacker to read and modify data stored in the local cache.

CVE-2024-41906 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41906. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.5 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358

The affected application is missing general HTTP security headers in the web server. This could allow an attacker to make the servers more prone to clickjacking attacks.

CVE-2024-41907 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41907. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released a [new version (V2.0 or later version)](https://support.industry.siemens.com/cs/ww/en/view/109972409/ for SINEC Traffic Analyzer and recommends users update to the latest version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-716317 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM RM1224, SCALANCE M-800 Family
Vulnerabilities: Uncontrolled Resource Consumption, Improper Input Validation, Exposure of Data Element to Wrong Session, Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary code, escalate privilege, forge 2FA tokens of other users, or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siemens RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2): Versions prior to V8.1
Siemens RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2): Versions prior to V8.1
Siemens SCALANCE M804PB (6GK5804-0AP00-2AA2): Versions prior to V8.1
Siemens SCALANCE M812-1 ADSL-Router family: Versions prior to V8.1
Siemens SCALANCE M816-1 ADSL-Router family: Versions prior to V8.1
Siemens SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): Versions prior to V8.1
Siemens SCALANCE M874-2 (6GK5874-2AA00-2AA2): Versions prior to V8.1
Siemens SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2): Versions prior to V8.1
Siemens SCALANCE M874-3 (6GK5874-3AA00-2AA2): Versions prior to V8.1
Siemens SCALANCE M876-3 (6GK5876-3AA02-2BA2): Versions prior to V8.1
Siemens SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2): Versions prior to V8.1
Siemens SCALANCE M876-4 (6GK5876-4AA10-2BA2): Versions prior to V8.1
Siemens SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2): Versions prior to V8.1
Siemens SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2): Versions prior to V8.1
Siemens SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1): Versions prior to V8.1
Siemens SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1): Versions prior to V8.1
Siemens SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1): Versions prior to V8.1
Siemens SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1): Versions prior to V8.1
Siemens SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1): Versions prior to V8.1
Siemens SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1): Versions prior to V8.1
Siemens SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1): Versions prior to V8.1
Siemens SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1): Versions prior to V8.1
Siemens SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2): Versions prior to V8.1
Siemens SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2): Versions prior to V8.1

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Affected devices do not properly validate the length of inputs when performing certain configuration changes in the web interface allowing an authenticated attacker to cause a denial-of-service condition. The device needs to be restarted for the web interface to become available again.

CVE-2023-44321 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2023-44321. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Affected devices do not properly validate input in specific VPN configuration fields. This could allow an authenticated remote attacker to execute arbitrary code on the device.

CVE-2024-41976 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41976. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 EXPOSURE OF DATA ELEMENT TO WRONG SESSION CWE-488

Affected devices do not properly enforce isolation between user sessions in their web server component. This could allow an authenticated remote attacker to escalate their privileges on the devices.

CVE-2024-41977 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41977. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Affected devices insert sensitive information about the generation of 2FA tokens into log files. This could allow an authenticated remote attacker to forge 2FA tokens of other users.

CVE-2024-41978 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41978. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Update to V8.1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-087301 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Micro850/870
Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability may cause CIP/Modbus communication to be disrupted for short duration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Micro850/870 programmable controllers are affected:

PLC – Micro850/870 (2080 -L50E/2080 -L70E): versions prior to v22.011

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

A denial-of-service vulnerability exists via the CIP/Modbus port in Micro850/870. If exploited, the CIP/Modbus communication may be disrupted for short duration.

CVE-2024-7567 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-7567. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends that users update to version v22.011.

Rockwell Automation encourages users of the affected software to apply security best practices, if possible.

For information on how to mitigate security risks on industrial automation control systems, we encourage users to implement Rockwell Automation suggested security best practices to minimize the risk of the vulnerability.

For more information see the Rockwell Automation Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 13, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: CompactLogix 5380, ControlLogix 5580, GuardLogix 5580, Compact GuardLogix 5380, CompactLogix 5480
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could crash the device being accessed.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

CompactLogix 5380 (5069 – L3z): Versions prior to v36.011, v35.013, v34.014
CompactLogix 5480 (5069 – L4): Versions prior to v36.011, v35.013, v34.014
ControlLogix 5580 (1756 – L8z): Versions prior to v36.011, v35.013, v34.014
GuardLogix 5580 (1756 – L8z): Versions prior to v36.011, v35.013, v34.014
Compact GuardLogix 5380 (5069 – L3zS2): Versions prior to v36.011, v35.013, v34.014

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

A denial-of-service vulnerability exists in the affected products. A malformed PTP management packet can cause a major nonrecoverable fault in the controller.

CVE-2024-7515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7515. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends the following actions:

Update products to v36.011, v35.013, v34.014 or later.
Restrict communication to CIP object 103 (0x67)
For information on how to mitigate Security Risks on industrial automation control systems, Rockwell Automation encourages users to implement their suggested security best practices to minimize the risk of the vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 13, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: SuiteLink Server
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause the server to consume excessive system resources, preventing processing of SuiteLink messages on the targeted host.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AVEVA products with AVEVA SuiteLink Server installed, are affected:

SuiteLink: Versions 3.7.0 and prior
Historian: Versions 2023 R2 P01 and prior
InTouch: Versions 2023 R2 P01 and prior
Application Server: Versions 2023 R2 P01 and prior
Communication Drivers Pack: Versions 2023 R2 and prior
Batch Management: Versions 2023 and prior

3.2 Vulnerability Overview

3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

If exploited, this vulnerability could cause a SuiteLink server to consume excessive system resources and slow down processing of Data I/O for the duration of the attack.

CVE-2024-7113 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7113. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

DOE CESER’s CyTRICS program at Idaho National Laboratory reported this vulnerability to AVEVA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with the affected product versions should apply security updates as soon as possible.

All impacted products and affected versions can be fixed by installing SuiteLink v3.7.100.

AVEVA recommends the following general defensive measures:

Apply Host and/or Network firewall rules restricting the SuiteLink server to accept traffic only from trusted source(s). By default, SuiteLink listens on port 5413.

For more information, see AVEVA’s Security Bulletin AVEVA-2024-007.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 13, 2024: Initial Publication