News from CISA.gov

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: CPCI85 for CP-8031/CP-8050, CPCI85, SICORE
• Vulnerabilities: Unverified Password Change, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform an unauthorized password reset which could lead to privilege escalation and potential leak of information.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens SICAM product versions are affected:

• CPCI85 Central Processing/Communication: All versions prior to V5.40
• SICORE Base system: All versions prior to V1.4.0

3.2 Vulnerability Overview 3.2.1 UNVERIFIED PASSWORD CHANGE CWE-620

The password of administrative accounts of the affected applications can be reset without requiring the knowledge of the current password, given the auto login is enabled. This could allow an unauthorized attacker to obtain administrative access of the affected applications.

CVE-2024-37998 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37998. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Affected devices allow a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities.

CVE-2024-39601 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-39601. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Jan Kaestle from Siemens Energy reported the vulnerability CVE-2024-37998 to Siemens. Steffen Robertz, Gerhard Hechenberger, Stefan Viehböck, and Constantin Schieber-Knöbl from SEC Consult Vulnerability Lab reported the vulnerability CVE-2024-39601 to Siemens.

4. MITIGATIONS

Siemens recommends users to update to the latest version:

• CPCI85 Central Processing/Communication: Update to V5.40 or later
• SICORE Base system: Update to V1.4.0 or later

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• CVE-2024-37998: Disable the auto login feature

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-071402 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 25, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: Positron S.R.L
• Equipment: Broadcast Signal Processor TRA7005
• Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication and access unauthorized protected areas of the application.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Positron Broadcast Signal Processor are affected:

• Broadcast Signal Processor TRA7005: v1.20

3.2 Vulnerability Overview 3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application.

CVE-2024-7007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-7007. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Italy
• COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Gjoko Krstic and reported it to Positron.

4. MITIGATIONS

Positron has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of TRA7005 are invited to contact Positron customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 25, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: National Instruments
• Equipment: LabVIEW
• Vulnerabilities: Out-of-Bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a local attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following National Instruments LabVIEW products are affected:

• LabVIEW: Versions 24.1f0 and prior

3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS READ CWE-125

LabVIEW is vulnerable to an out-of-bounds read, which could allow a local attacker to execute arbitrary code on affected installations of LabVIEW. User interaction is required to exploit the vulnerabilities in that the user must open a malicious VI file.

CVE-2024-4079 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4079. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The library tdcore_24_1.dll contains a memory corruption vulnerability, which could allow a local attacker to disclose information or execute arbitrary code on affected installations of LabVIEW. User interaction is required to exploit the vulnerability in that the user must open a malicious VI file.

CVE-2024-4080 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4080. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

LabVIEW contains a memory corruption vulnerability, which could allow a local attacker to disclose information or execute arbitrary code on affected installations of LabVIEW. User interaction is required to exploit the vulnerability in that the user must open a malicious VI file.

CVE-2024-4081 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4081. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Defense Industrial Base, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

National Instruments has provided a fix for these issues and recommends users to refer to their public advisories:

• https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/out-of-bounds-read-due-to-missing-bounds-check-in-labview.html
• https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/memory-corruption-issues-due-to-improper-length-checks-in-labview.html

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• July 23, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: AFS650, AFS660, AFS665, AFS670, AFS675, AFS677, AFR677
• Vulnerabilities: Type Confusion, Use After Free, Double Free, Observable Discrepancy

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy AFS/AFR are affected:

• AFS650: Version 9.1.08 and prior
• AFS660-C: Version 7.1.05 and prior
• AFS665-B: Version 7.1.05 and prior
• AFS670-V2: Version 7.1.05 and prior
• AFS670: Version 9.1.08 and prior
• AFS675: Version 9.1.08 and prior
• AFS677: Version 9.1.08 and prior
• AFR677: Version 9.1.08 and prior

3.2 Vulnerability Overview 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. For more details check the NVD link.

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.2 USE AFTER FREE CWE-416

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. 

CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 DOUBLE FREE CWE-415

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g."CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. 

CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 OBSERVABLE DISCREPANCY CWE-203

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:

• AFS650: Update to AFS 650 firmware version 9.1.10
• AFS660-C, AFS665-B, AFS670-V2: Update to AFS 66x firmware version 7.1.08
• AFS670/675/677, AFR677: Update to AFS/AFR 67x firmware version 9.1.10

In addition, recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy's Cybersecurity Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 23, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: National Instruments
• Equipment: IO Trace
• Vulnerability: Stack-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following National Instruments I/O TRACE bundled products are affected:

• I/O TRACE: All versions

3.2 Vulnerability Overview 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. User interaction is required to exploit the vulnerability in that the user must open a malicious nitrace file.

CVE-2024-5602 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5602. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Defense Industrial Base, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

National Instruments has provided a fix for this issue and recommends users refer to their public advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• July 23, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Subnet Solutions Inc.
• Equipment: Subnet PowerSYSTEM Center
• Vulnerability: Prototype Pollution

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to elevate permissions.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Subnet PowerSYSTEM Center are affected:

• PowerSYSTEM Center 2020: Update 20 and prior

3.2 Vulnerability Overview 3.2.1 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES ('PROTOTYPE POLLUTION') CWE-1321

Subnet PowerSYSTEM Center products are vulnerable to a prototype pollution vulnerability, which may allow an authenticated attacker to elevate permissions.

CVE-2023-26136 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-26136. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions recommends users upgrade to PowerSYSTEM Center versions 2020 Update 21 or later. To obtain this software, contact Subnet Solution's Customer Service.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 18, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Exploitable remotely
• Vendor: Mitsubishi Electric Corporation
• Equipment: MELSOFT MaiLab
• Vulnerability: Improper Verification of Cryptographic Signature

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the target product.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following versions of MELSOFT MaiLab, a data science tool for manufacturing improvement, are affected:

• MELSOFT MaiLab SW1DND-MAILAB-M: versions 1.00A to 1.05F
• MELSOFT MaiLab SW1DND-MAILABPR-M: versions 1.00A to 1.05F

3.2 Vulnerability Overview 3.2.1 Improper Verification of Cryptographic Signature CWE-347

A denial-of-service vulnerability exists in the OpenSSL library used in MELSOFT MaiLab due to improper verification of cryptographic signature resulting from improper implementation of the POLY1305 message authentication code (MAC).

CVE-2023-4807 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4807. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users install the fixed version (ver.1.06G or later) and update the software. For information about how to install the fixed version, please contact your local Mitsubishi Electric representative.

Mitsubishi Electric recommends that users take the following mitigations to minimize the risk of exploiting this vulnerability:

• When internet access is required, use a firewall or a virtual private network (VPN) to prevent unauthorized access.
• Use the products within a control system, and protect the network and devices in the control system with a firewall to block access from untrusted networks and hosts.
• Restrict physical access to the PC on which the product is installed and the network to which the PC is connected to prevent unauthorized access.
• Do not click on web links in emails or other messages from untrusted sources. Also, do not open attachments from untrusted emails.

For specific update instructions and additional details see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• July 18, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: Pavilion 8
• Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to create new users and view sensitive data.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Pavilion 8, a Model Predictive Control (MPC) solution, are affected:

• Pavilion 8: Versions 5.15.00 through 5.20.00

3.2 Vulnerability Overview 3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges, or reading sensitive information in the "views" section.

CVE-2024-6435 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6435. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update to Pavilion8 version 6.0 or greater.

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

• Limit access to only users who need it.
• Periodically review user access and privileges to confirm accuracy.
• Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 16, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.3
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: JT Open and PLM XML SDK
• Vulnerabilities: NULL Pointer Dereference, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could could cause the application to crash or potentially lead to arbitrary code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

• JT Open: All versions
• PLM XML SDK: All versions

3.2 Vulnerability Overview 3.2.1 NULL POINTER DEREFERENCE CWE-476

The affected applications contain a null pointer dereference vulnerability while parsing specially crafted XML files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.

CVE-2024-37996 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37996. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack based overflow vulnerability while parsing specially crafted XML files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-37997 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37997. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users update to the latest version:

• JT Open: Update to V11.5 or later version
• PLM XML SDK: Update to V7.1.0.014 or later version
• Do not open untrusted XML files in affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-824889 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC, SIMIT
• Vulnerability: Improperly Controlled Sequential Memory Allocation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a high load situation, memory exhaustion, and may block the server.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• SIMATIC Energy Manager Basic: Versions prior to V7.5
• SIMATIC Energy Manager PRO: Versions prior to V7.5
• SIMATIC IPC DiagBase: All versions
• SIMATIC IPC DiagMonitor: All versions
• SIMIT V10: All versions
• SIMIT V11: Versions prior to V11.1

3.2 Vulnerability Overview 3.2.1 IMPROPERLY CONTROLLED SEQUENTIAL MEMORY ALLOCATION CWE-1325

Unified Automation .NET based OPC UA Server SDK before 3.2.2 used in Siemens products are affected by a similar vulnerability as documented in CVE-2023-27321 for the OPC Foundation UA .NET Standard implementation. A successful attack may lead to high load situation and memory exhaustion, and may block the server.

CVE-2023-52891 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIMIT V11: Update to V11.1 or later version
• SIMATIC Energy Manager Basic, SIMATIC Energy Manager PRO: Update to V7.5 or later version
• Disable the OPC UA server in the affected product, if possible and OPC UA is not used
• Restrict access to the OPC UA interface to trusted clients
• SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor: Currently no fix is available
• SIMIT V10: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-088132 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: ThinManager ThinServer

• Vulnerabilities: Improper Input Validation

  2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The vulnerabilities exist in the following versions of ThinManger ThinServer:

• ThinManager ThinServer: Versions 11.1.0, 11.2.0, 12.0.0, 12.1.0, 13.0.0, 13.1.0, 13.2.0 (CVE-2024-5988, CVE-2024-5989)
• ThinManager ThinServer: Versions 11.1.0, 11.2.0, 12.0.0, 12.1.0, 13.0.0, 13.1.0 (CVE-2024-5990)

3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.

CVE-2024-5988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.

CVE-2024-5989 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5989. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer and cause a denial-of-service condition on the affected device.

CVE-2024-5990 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5990. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has corrected the reported vulnerabilities in the following versions available at the ThinManager download site:
11.1.8, 11.2.9 12.0.7, 12.1.8, 13.0.5, 13.1.3, 13.2.2

Rockwell Automation recommends users of the affected software to apply the risk mitigations from the list below. Users are also recommended to implement Rockwell Automation's suggested security best practices to minimize the potential risk of vulnerability.

• Update to the corrected software versions via the ThinManager Downloads Site
• Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
• Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SINEMA Remote Connect Server
• Vulnerabilities: Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated local attacker to execute arbitrary code with system privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following versions of SINEMA Remote Connect management platform are affected:

• SINEMA Remote Connect Client: versions prior to V3.2 HF1

3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an authenticated local attacker to execute arbitrary code with system privileges.

CVE-2024-39567 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39567. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading proxy configurations. This could allow an authenticated local attacker to execute arbitrary code with system privileges.

CVE-2024-39568 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39568. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an administrative remote attacker running a corresponding SINEMA Remote Connect Server to execute arbitrary code with system privileges on the client system.

CVE-2024-39569 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39569. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released a new version for SINEMA Remote Connect Client and recommends updating to version (V3.2 HF1 or later.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-868282 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.0
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: TIA Portal and SIMATIC STEP 7
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary
code within the affected application.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• Totally Integrated Automation Portal (TIA Portal): All versions
• Totally Integrated Automation Portal (TIA Portal) V18: All versions
• SIMATIC STEP 7 Safety V18: All versions

3.2 Vulnerability Overview 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable
input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/enus/visualstudio/code-quality/ca2300.

CVE-2023-32737 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-32737. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Totally Integrated Automation Portal (TIA Portal): Update to V18 Update 2 or later version
• Totally Integrated Automation Portal (TIA Portal) V18: Update to V18 Update 2 or later version
• SIMATIC STEP 7 Safety V18: Update to V18 Update 2 or later version
• Avoid uploading PLC software from untrusted devices or MMC cards

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-313039 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SINEMA Remote Connect Server
• Vulnerabilities: Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary code with root privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

• SINEMA Remote Connect Server: All versions

3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

Affected applications are vulnerable to command injection due to missing server side input sanitation when loading VxLAN configurations. This could allow an authenticated attacker to execute arbitrary code with root privileges.

CVE-2024-39570 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39570. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77

Affected applications are vulnerable to command injection due to missing server side input sanitation when loading SNMP configurations. This could allow an attacker with the right to modify the SNMP configuration to execute arbitrary code with root privileges.

CVE-2024-39571 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39571. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users to update to the latest version:

• SINEMA Remote Connect Server: Update to V3.2 HF1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-928781 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.1
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: SCALANCE, RUGGEDCOM, SIPLUS, and SINEC
• Vulnerability: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow on-path attackers to gain access to the network with the attackers desired authorization without needing legitimate credentials.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• RUGGEDCOM CROSSBOW: All versions
• RUGGEDCOM i800: All versions
• RUGGEDCOM i800NC: All versions
• RUGGEDCOM i801: All versions
• RUGGEDCOM i801NC: All versions
• RUGGEDCOM i802: All versions
• RUGGEDCOM i802NC: All versions
• RUGGEDCOM i803: All versions
• RUGGEDCOM i803NC: All versions
• RUGGEDCOM M969: All versions
• RUGGEDCOM M969NC: All versions
• RUGGEDCOM M2100: All versions
• RUGGEDCOM M2100NC: All versions
• RUGGEDCOM M2200: All versions
• RUGGEDCOM M2200NC: All versions
• RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2): All versions
• RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2): All versions
• RUGGEDCOM RMC30: All versions
• RUGGEDCOM RMC30NC: All versions
• RUGGEDCOM RMC8388 V4.X: All versions
• RUGGEDCOM RMC8388 V5.X: All versions
• RUGGEDCOM RMC8388NC V4.X: All versions
• RUGGEDCOM RMC8388NC V5.X: All versions
• RUGGEDCOM ROX MX5000: All versions
• RUGGEDCOM ROX MX5000RE: All versions
• RUGGEDCOM ROX RX1400: All versions
• RUGGEDCOM ROX RX1500: All versions
• RUGGEDCOM ROX RX1501: All versions
• RUGGEDCOM ROX RX1510: All versions
• RUGGEDCOM ROX RX1511: All versions
• RUGGEDCOM ROX RX1512: All versions
• RUGGEDCOM ROX RX1524: All versions
• RUGGEDCOM ROX RX1536: All versions
• RUGGEDCOM ROX RX5000: All versions
• RUGGEDCOM RP110: All versions*
• RUGGEDCOM RP110NC: All versions
• RUGGEDCOM RS400: All versions
• RUGGEDCOM RS400NC: All versions
• RUGGEDCOM RS401: All versions
• RUGGEDCOM RS401NC: All versions
• RUGGEDCOM RS416: All versions
• RUGGEDCOM RS416NC: All versions
• RUGGEDCOM RS416NCv2 V4.X: All versions
• RUGGEDCOM RS416NCv2 V5.X: All versions
• RUGGEDCOM RS416P: All versions
• RUGGEDCOM RS416PNC: All versions
• RUGGEDCOM RS416PNCv2 V4.X: All versions
• RUGGEDCOM RS416PNCv2 V5.X: All versions
• RUGGEDCOM RS416Pv2 V4.X: All versions
• RUGGEDCOM RS416Pv2 V5.X: All versions
• RUGGEDCOM RS416v2 V4.X: All versions
• RUGGEDCOM RS416v2 V5.X: All versions
• RUGGEDCOM RS900: All versions
• RUGGEDCOM RS900 (32M) V4.X: All versions
• RUGGEDCOM RS900 (32M) V5.X: All versions
• RUGGEDCOM RS900G: All versions
• RUGGEDCOM RS900G (32M) V4.X: All versions
• RUGGEDCOM RS900G (32M) V5.X: All versions
• RUGGEDCOM RS900GNC: All versions
• RUGGEDCOM RS900GNC(32M) V4.X: All versions
• RUGGEDCOM RS900GNC(32M) V5.X: All versions
• RUGGEDCOM RS900GP: All versions
• RUGGEDCOM RS900GPNC: All versions
• RUGGEDCOM RS900M-GETS-C01: All versions
• RUGGEDCOM RS900M-GETS-XX: All versions
• RUGGEDCOM RS900M-STND-C01: All versions
• RUGGEDCOM RS900M-STND-XX: All versions
• RUGGEDCOM RS900MNC-GETS-C01: All versions
• RUGGEDCOM RS900MNC-GETS-XX: All versions
• RUGGEDCOM RS900MNC-STND-XX: All versions
• RUGGEDCOM RS900MNC-STND-XX-C01: All versions
• RUGGEDCOM RS900NC: All versions
• RUGGEDCOM RS900NC(32M) V4.X: All versions
• RUGGEDCOM RS900NC(32M) V5.X: All versions
• RUGGEDCOM RS900W: All versions
• RUGGEDCOM RS910: All versions
• RUGGEDCOM RS910NC: All versions
• RUGGEDCOM RS910W: All versions
• RUGGEDCOM RS940G: All versions
• RUGGEDCOM RS940GNC: All versions
• RUGGEDCOM RS1600: All versions
• RUGGEDCOM RS1600F: All versions
• RUGGEDCOM RS1600FNC: All versions
• RUGGEDCOM RS1600NC: All versions
• RUGGEDCOM RS1600T: All versions
• RUGGEDCOM RS1600TNC: All versions
• RUGGEDCOM RS8000: All versions
• RUGGEDCOM RS8000A: All versions
• RUGGEDCOM RS8000ANC: All versions
• RUGGEDCOM RS8000H: All versions
• RUGGEDCOM RS8000HNC: All versions
• RUGGEDCOM RS8000NC: All versions
• RUGGEDCOM RS8000T: All versions
• RUGGEDCOM RS8000TNC: All versions
• RUGGEDCOM RSG907R: All versions
• RUGGEDCOM RSG908C: All versions
• RUGGEDCOM RSG909R: All versions
• RUGGEDCOM RSG910C: All versions
• RUGGEDCOM RSG920P V4.X: All versions
• RUGGEDCOM RSG920P V5.X: All versions
• RUGGEDCOM RSG920PNC V4.X: All versions
• RUGGEDCOM RSG920PNC V5.X: All versions
• RUGGEDCOM RSG2100: All versions
• RUGGEDCOM RSG2100 (32M) V4.X: All versions
• RUGGEDCOM RSG2100 (32M) V5.X: All versions
• RUGGEDCOM RSG2100NC: All versions
• RUGGEDCOM RSG2100NC(32M) V4.X: All versions
• RUGGEDCOM RSG2100NC(32M) V5.X: All versions
• RUGGEDCOM RSG2100P: All versions
• RUGGEDCOM RSG2100PNC: All versions
• RUGGEDCOM RSG2200: All versions
• RUGGEDCOM RSG2200NC: All versions
• RUGGEDCOM RSG2288 V4.X: All versions
• RUGGEDCOM RSG2288 V5.X: All versions
• RUGGEDCOM RSG2288NC V4.X: All versions
• RUGGEDCOM RSG2288NC V5.X: All versions
• RUGGEDCOM RSG2300 V4.X: All versions
• RUGGEDCOM RSG2300 V5.X: All versions
• RUGGEDCOM RSG2300NC V4.X: All versions
• RUGGEDCOM RSG2300NC V5.X: All versions
• RUGGEDCOM RSG2300P V4.X: All versions
• RUGGEDCOM RSG2300P V5.X: All versions
• RUGGEDCOM RSG2300PNC V4.X: All versions
• RUGGEDCOM RSG2300PNC V5.X: All versions
• RUGGEDCOM RSG2488 V4.X: All versions
• RUGGEDCOM RSG2488 V5.X: All versions
• RUGGEDCOM RSG2488NC V4.X: All versions
• RUGGEDCOM RSG2488NC V5.X: All versions
• RUGGEDCOM RSL910: All versions
• RUGGEDCOM RSL910NC: All versions
• RUGGEDCOM RST916C: All versions
• RUGGEDCOM RST916P: All versions
• RUGGEDCOM RST2228: All versions
• RUGGEDCOM RST2228P: All versions
• SCALANCE M804PB (6GK5804-0AP00-2AA2): All versions
• SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2): All versions
• SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2): All versions
• SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2): All versions
• SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2): All versions
• SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): All versions
• SCALANCE M874-2 (6GK5874-2AA00-2AA2): All versions
• SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2): All versions
• SCALANCE M874-3 (6GK5874-3AA00-2AA2): All versions
• SCALANCE M876-3 (6GK5876-3AA02-2BA2): All versions
• SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2): All versions
• SCALANCE M876-4 (6GK5876-4AA10-2BA2): All versions
• SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2): All versions
• SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2): All versions
• SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1): All versions
• SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1): All versions
• SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1): All versions
• SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1): All versions
• SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1): All versions
• SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1): All versions
• SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1): All versions
• SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1): All versions
• SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2): All versions
• SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2): All versions
• SCALANCE SC622-2C (6GK5622-2GS00-2AC2): All versions
• SCALANCE SC626-2C (6GK5626-2GS00-2AC2): All versions
• SCALANCE SC632-2C (6GK5632-2GS00-2AC2): All versions
• SCALANCE SC636-2C (6GK5636-2GS00-2AC2): All versions
• SCALANCE SC642-2C (6GK5642-2GS00-2AC2): All versions
• SCALANCE SC646-2C (6GK5646-2GS00-2AC2): All versions
• SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0): All versions
• SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0): All versions
• SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0): All versions
• SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0): All versions
• SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0): All versions
• SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0): All versions
• SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6): All versions
• SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0): All versions
• SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6): All versions
• SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0): All versions
• SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0): All versions
• SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0): All versions
• SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0): All versions
• SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0): All versions
• SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0): All versions
• SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0): All versions
• SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0): All versions
• SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0): All versions
• SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0): All versions
• SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0): All versions
• SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6): All versions
• SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0): All versions
• SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0): All versions
• SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6): All versions
• SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0): All versions
• SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0): All versions
• SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0): All versions
• SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0): All versions
• SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0): All versions
• SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0): All versions
• SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0): All versions
• SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0): All versions
• SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0): All versions
• SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0): All versions
• SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0): All versions
• SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0): All versions
• SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0): All versions
• SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0): All versions
• SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0): All versions
• SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0): All versions
• SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0): All versions
• SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0): All versions
• SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0): All versions
• SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0): All versions
• SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0): All versions
• SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0): All versions
• SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0): All versions
• SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0): All versions
• SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0): All versions
• SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0): All versions
• SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0): All versions
• SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0): All versions
• SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0): All versions
• SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0): All versions
• SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0): All versions
• SCALANCE WAM763-1 (6GK5763-1AL00-7DA0): All versions
• SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0): All versions
• SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0): All versions
• SCALANCE WAM766-1 (EU) (6GK5766-1GE00-7DA0): All versions
• SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0): All versions
• SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0): All versions
• SCALANCE WAM766-1 EEC (EU) (6GK5766-1GE00-7TA0): All versions
• SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0): All versions
• SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0): All versions
• SCALANCE WUM763-1 (6GK5763-1AL00-3AA0): All versions
• SCALANCE WUM763-1 (6GK5763-1AL00-3DA0): All versions
• SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0): All versions
• SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0): All versions
• SCALANCE WUM766-1 (EU) (6GK5766-1GE00-3DA0): All versions
• SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0): All versions
• SCALANCE WUM766-1 (US) (6GK5766-1GE00-3DB0): All versions
• SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3): Versions prior to V4.1.8
• SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3): Versions prior to V4.1.8
• SCALANCE X304-2FE (6GK5304-2BD00-2AA3): Versions prior to V4.1.8
• SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3): Versions prior to V4.1.8
• SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3): Versions prior to V4.1.8
• SCALANCE X307-3 (6GK5307-3BL00-2AA3): Versions prior to V4.1.8
• SCALANCE X307-3 (6GK5307-3BL10-2AA3): Versions prior to V4.1.8
• SCALANCE X307-3LD (6GK5307-3BM00-2AA3): Versions prior to V4.1.8
• SCALANCE X307-3LD (6GK5307-3BM10-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2 (6GK5308-2FL00-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2 (6GK5308-2FL10-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LD (6GK5308-2FM00-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LD (6GK5308-2FM10-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LH (6GK5308-2FN00-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LH (6GK5308-2FN10-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3): Versions prior to V4.1.8
• SCALANCE X308-2M (6GK5308-2GG00-2AA2): Versions prior to V4.1.8
• SCALANCE X308-2M (6GK5308-2GG10-2AA2): Versions prior to V4.1.8
• SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2): Versions prior to V4.1.8
• SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2): Versions prior to V4.1.8
• SCALANCE X308-2M TS (6GK5308-2GG00-2CA2): Versions prior to V4.1.8
• SCALANCE X308-2M TS (6GK5308-2GG10-2CA2): Versions prior to V4.1.8
• SCALANCE X310 (6GK5310-0FA00-2AA3): Versions prior to V4.1.8
• SCALANCE X310 (6GK5310-0FA10-2AA3): Versions prior to V4.1.8
• SCALANCE X310FE (6GK5310-0BA00-2AA3): Versions prior to V4.1.8
• SCALANCE X310FE (6GK5310-0BA10-2AA3): Versions prior to V4.1.8
• SCALANCE X320-1 FE (6GK5320-1BD00-2AA3): Versions prior to V4.1.8
• SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3): Versions prior to V4.1.8
• SCALANCE X408-2 (6GK5408-2FD00-2AA2): Versions prior to V4.1.8
• SCALANCE XB205-3 (SC, PN) (6GK5205-3BB00-2AB2): All versions
• SCALANCE XB205-3 (ST, E/IP) (6GK5205-3BB00-2TB2): All versions
• SCALANCE XB205-3 (ST, E/IP) (6GK5205-3BD00-2TB2): All versions
• SCALANCE XB205-3 (ST, PN) (6GK5205-3BD00-2AB2): All versions
• SCALANCE XB205-3LD (SC, E/IP) (6GK5205-3BF00-2TB2): All versions
• SCALANCE XB205-3LD (SC, PN) (6GK5205-3BF00-2AB2): All versions
• SCALANCE XB208 (E/IP) (6GK5208-0BA00-2TB2): All versions
• SCALANCE XB208 (PN) (6GK5208-0BA00-2AB2): All versions
• SCALANCE XB213-3 (SC, E/IP) (6GK5213-3BD00-2TB2): All versions
• SCALANCE XB213-3 (SC, PN) (6GK5213-3BD00-2AB2): All versions
• SCALANCE XB213-3 (ST, E/IP) (6GK5213-3BB00-2TB2): All versions
• SCALANCE XB213-3 (ST, PN) (6GK5213-3BB00-2AB2): All versions
• SCALANCE XB213-3LD (SC, E/IP) (6GK5213-3BF00-2TB2): All versions
• SCALANCE XB213-3LD (SC, PN) (6GK5213-3BF00-2AB2): All versions
• SCALANCE XB216 (E/IP) (6GK5216-0BA00-2TB2): All versions
• SCALANCE XB216 (PN) (6GK5216-0BA00-2AB2): All versions
• SCALANCE XC206-2 (SC) (6GK5206-2BD00-2AC2): All versions
• SCALANCE XC206-2 (ST/BFOC) (6GK5206-2BB00-2AC2): All versions
• SCALANCE XC206-2G PoE (6GK5206-2RS00-2AC2): All versions
• SCALANCE XC206-2G PoE (54 V DC) (6GK5206-2RS00-5AC2): All versions
• SCALANCE XC206-2G PoE EEC (54 V DC) (6GK5206-2RS00-5FC2): All versions
• SCALANCE XC206-2SFP (6GK5206-2BS00-2AC2): All versions
• SCALANCE XC206-2SFP EEC (6GK5206-2BS00-2FC2): All versions
• SCALANCE XC206-2SFP G (6GK5206-2GS00-2AC2): All versions
• SCALANCE XC206-2SFP G (EIP DEF.) (6GK5206-2GS00-2TC2): All versions
• SCALANCE XC206-2SFP G EEC (6GK5206-2GS00-2FC2): All versions
• SCALANCE XC208 (6GK5208-0BA00-2AC2): All versions
• SCALANCE XC208EEC (6GK5208-0BA00-2FC2): All versions
• SCALANCE XC208G (6GK5208-0GA00-2AC2): All versions
• SCALANCE XC208G (EIP def.) (6GK5208-0GA00-2TC2): All versions
• SCALANCE XC208G EEC (6GK5208-0GA00-2FC2): All versions
• SCALANCE XC208G PoE (6GK5208-0RA00-2AC2): All versions
• SCALANCE XC208G PoE (54 V DC) (6GK5208-0RA00-5AC2): All versions
• SCALANCE XC216 (6GK5216-0BA00-2AC2): All versions
• SCALANCE XC216-3G PoE (6GK5216-3RS00-2AC2): All versions
• SCALANCE XC216-3G PoE (54 V DC) (6GK5216-3RS00-5AC2): All versions
• SCALANCE XC216-4C (6GK5216-4BS00-2AC2): All versions
• SCALANCE XC216-4C G (6GK5216-4GS00-2AC2): All versions
• SCALANCE XC216-4C G (EIP Def.) (6GK5216-4GS00-2TC2): All versions
• SCALANCE XC216-4C G EEC (6GK5216-4GS00-2FC2): All versions
• SCALANCE XC216EEC (6GK5216-0BA00-2FC2): All versions
• SCALANCE XC224 (6GK5224-0BA00-2AC2): All versions
• SCALANCE XC224-4C G (6GK5224-4GS00-2AC2): All versions
• SCALANCE XC224-4C G (EIP Def.) (6GK5224-4GS00-2TC2): All versions
• SCALANCE XC224-4C G EEC (6GK5224-4GS00-2FC2): All versions
• SCALANCE XCH328 (6GK5328-4TS01-2EC2): All versions
• SCALANCE XCM324 (6GK5324-8TS01-2AC2): All versions
• SCALANCE XCM328 (6GK5328-4TS01-2AC2): All versions
• SCALANCE XCM332 (6GK5332-0GA01-2AC2): All versions
• SCALANCE XF204 (6GK5204-0BA00-2GF2): All versions
• SCALANCE XF204 DNA (6GK5204-0BA00-2YF2): All versions
• SCALANCE XF204-2BA (6GK5204-2AA00-2GF2): All versions
• SCALANCE XF204-2BA DNA (6GK5204-2AA00-2YF2): All versions
• SCALANCE XM408-4C (6GK5408-4GP00-2AM2): All versions
• SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2): All versions
• SCALANCE XM408-8C (6GK5408-8GS00-2AM2): All versions
• SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2): All versions
• SCALANCE XM416-4C (6GK5416-4GS00-2AM2): All versions
• SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2): All versions
• SCALANCE XP208 (6GK5208-0HA00-2AS6): All versions
• SCALANCE XP208 (Ethernet/IP) (6GK5208-0HA00-2TS6): All versions
• SCALANCE XP208EEC (6GK5208-0HA00-2ES6): All versions
• SCALANCE XP208PoE EEC (6GK5208-0UA00-5ES6): All versions
• SCALANCE XP216 (6GK5216-0HA00-2AS6): All versions
• SCALANCE XP216 (Ethernet/IP) (6GK5216-0HA00-2TS6): All versions
• SCALANCE XP216EEC (6GK5216-0HA00-2ES6): All versions
• SCALANCE XP216POE EEC (6GK5216-0UA00-5ES6): All versions
• SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2): Versions prior to V4.1.8
• SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2): Versions prior to V4.1.8
• SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2): Versions prior to V4.1.8
• SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2): Versions prior to V4.1.8
• SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2): Versions prior to V4.1.8
• SCALANCE XR324WG (24 x FE, AC 230V) (6GK5324-0BA00-3AR3): All versions
• SCALANCE XR324WG (24 X FE, DC 24V) (6GK5324-0BA00-2AR3): All versions
• SCALANCE XR326-2C PoE WG (6GK5326-2QS00-3AR3): All versions
• SCALANCE XR326-2C PoE WG (without UL) (6GK5326-2QS00-3RR3): All versions
• SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3AR3): All versions
• SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3RR3): All versions
• SCALANCE XR328-4C WG (24XFE, 4XGE, 24V) (6GK5328-4FS00-2AR3): All versions
• SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V) (6GK5328-4FS00-2RR3): All versions
• SCALANCE XR328-4C WG (28xGE, AC 230V) (6GK5328-4SS00-3AR3): All versions
• SCALANCE XR328-4C WG (28xGE, DC 24V) (6GK5328-4SS00-2AR3): All versions
• SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2): All versions
• SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2): All versions
• SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2): All versions
• SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2): All versions
• SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2): All versions
• SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2): All versions
• SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2): All versions
• SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2): All versions
• SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2): All versions
• SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2): All versions
• SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2): All versions
• SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2): All versions
• SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2): All versions
• SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2): All versions
• SCALANCE XR528-6M (6GK5528-0AA00-2AR2): All versions
• SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2): All versions
• SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2): All versions
• SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2): All versions
• SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2): All versions
• SCALANCE XR552-12M (6GK5552-0AA00-2AR2): All versions
• SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3): All versions
• SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3): All versions
• SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3): All versions
• SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3): All versions
• SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3): All versions
• SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3): All versions
• SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3): All versions
• SINEC INS: All versions when RADIUS Server feature is enabled
• SIPLUS NET SCALANCE X308-2 (6AG1308-2FL10-4AA3): Versions prior to V4.1.8
• SIPLUS NET SCALANCE XC206-2 (6AG1206-2BB00-7AC2): All versions
• SIPLUS NET SCALANCE XC206-2SFP (6AG1206-2BS00-7AC2): All versions
• SIPLUS NET SCALANCE XC208 (6AG1208-0BA00-7AC2): All versions
• SIPLUS NET SCALANCE XC216-4C (6AG1216-4BS00-7AC2): All versions

3.2 Vulnerability Overview 3.2.1 IMPROPER ENFORCEMENT OF MESSAGE INTEGRITY DURING TRANSMISSION IN A COMMUNICATION CHANNEL CWE-924

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify responses Access-Reject or Access-Accept using a chosen-prefix collision attack against MD5 Response Authenticator signature.

CVE-2024-3596 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3596. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
• Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
• SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3), SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3), SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3), SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3), SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3), SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3), SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3), SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3), SCALANCE X304-2FE (6GK5304-2BD00-2AA3), SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3), SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3), SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3), SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3), SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3), SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3), SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3), SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3), SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3), SCALANCE X307-3 (6GK5307-3BL00-2AA3), SCALANCE X307-3 (6GK5307-3BL10-2AA3), SCALANCE X307-3LD (6GK5307-3BM00-2AA3), SCALANCE X307-3LD (6GK5307-3BM10-2AA3), SCALANCE X308-2 (6GK5308-2FL00-2AA3), SCALANCE X308-2 (6GK5308-2FL10-2AA3), SCALANCE X308-2LD (6GK5308-2FM00-2AA3), SCALANCE X308-2LD (6GK5308-2FM10-2AA3), SCALANCE X308-2LH (6GK5308-2FN00-2AA3), SCALANCE X308-2LH (6GK5308-2FN10-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3), SCALANCE X308-2M (6GK5308-2GG00-2AA2), SCALANCE X308-2M (6GK5308-2GG10-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2), SCALANCE X308-2M TS (6GK5308-2GG00-2CA2), SCALANCE X308-2M TS (6GK5308-2GG10-2CA2), SCALANCE X310 (6GK5310-0FA00-2AA3), SCALANCE X310 (6GK5310-0FA10-2AA3), SCALANCE X310FE (6GK5310-0BA00-2AA3), SCALANCE X310FE (6GK5310-0BA10-2AA3), SCALANCE X320-1 FE (6GK5320-1BD00-2AA3), SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3), SCALANCE X408-2 (6GK5408-2FD00-2AA2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2), SIPLUS NET SCALANCE X308-2 (6AG1308-2FL10-4AA3): Update to V4.1.8 or later version
• SINEC INS: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-723487 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: RUGGEDCOM APE 1808
• Vulnerabilities: Stack-based Buffer Overflow, Use of Password Hash With Insufficient Computational Effort, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code or commands via specially crafted CLI commands and access to decrypting the CLI backup file.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• Siemens RUGGEDCOM APE1808: All versions with Fortinet NGFW

3.2 Vulnerability Overview 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

A stack-based buffer overflow in Fortinet FortiOS version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.12 and 6.4.6 through 6.4.15 and 6.2.9 through 6.2.16 and 6.0.13 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted CLI commands.

CVE-2023-46720 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

CVE-2024-21754 has been assigned to this vulnerability. A CVSS v3 base score of 1.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

CVE-2024-23111 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.4 STACK-BASED BUFFER OVERFLOW CWE-121

A stack-based buffer overflow in Fortinet FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiWeb, FortiAuthenticator, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.1 through 7.0.3, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specially crafted packets.

CVE-2024-26010 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing, Energy, and Transportation
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• RUGGEDCOM APE1808: Contact customer support to receive patch and update information.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-698820 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.3
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Simcenter Femap
• Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Type Confusion, Improper Restriction of Operations within the Bounds of a Memory Buffer, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

• Simcenter Femap: Versions prior to V2406

3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32055 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32055. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted IGS part file. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32056 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32056. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843

The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32057 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32057. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The affected application is vulnerable to memory corruption while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32058 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32058. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32059 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32059. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32060 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32060. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.7 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32061 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32061. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.8 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843

The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32062 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32062. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843

The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32063 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32063. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.10 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32064 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32064. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.11 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32065 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32065. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-32066 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32066. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.13 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially strings as argument for one of the application binaries. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33577 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33577. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.14 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted BMP files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33653 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33653. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.15 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted BMP files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-33654 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33654. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to Siemens.
Trend Micro Zero Day Initiative reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has released a new version for Simcenter Femap and recommends users update to the latest version.

• Update to V2406 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Do not open untrusted IGS, BDF or BMP files using Simcenter Femap

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-064222 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Remote Connect Server
• Vulnerabilities: Incorrect User Management, Unrestricted Upload of File with Dangerous Type, Forced Browsing, Improper Check for Unusual or Exceptional Conditions, Client-Side Enforcement of Server-Side Security, Incorrect Authorization, Creation of Temporary File With Insecure Permissions, Improper Restriction of Excessive Authentication Attempts, Incorrect Permission Assignment for Critical Resource, Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of service condition, learn vulnerable credentials, escalate privileges, modify users outside of scope, gain access to participant groups, use temporary credentials for authentication bypass, or execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• Siemens SINEMA Remote Connect Server: All versions prior to V3.2 SP1

3.2 Vulnerability Overview 3.2.1 INCORRECT USER MANAGEMENT CWE-286

The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios.

CVE-2022-32260 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution.

CVE-2024-39865 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 PRIVILEGE DEFINED WITH UNSAFE ACTIONS CWE-267

The affected application allows users to upload encrypted backup files. This could allow an attacker with access to the backup encryption key and with the right to upload backup files to create a user with administrative privileges.

CVE-2024-39866 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 DIRECT REQUEST ('FORCED BROWSING') CWE-425

Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit device configuration information of devices for which they have no privileges.

CVE-2024-39867 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).

3.2.5 DIRECT REQUEST ('FORCED BROWSING') CWE-425

Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit VxLAN configuration information of networks for which they have no privileges.

CVE-2024-39868 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).

3.2.6 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Affected products allow to upload certificates. An authenticated attacker could upload a crafted certificates leading to a permanent denial-of-service situation. In order to recover from such an attack, the offending certificate needs to be removed manually.

CVE-2024-39869 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.7 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The affected applications can be configured to allow users to manage own users. A local authenticated user with this privilege could use this modify users outside of their own scope as well as to escalate privileges.

CVE-2024-39870 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.2.8 INCORRECT AUTHORIZATION CWE-863

Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.

CVE-2024-39871 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.2.9 CREATION OF TEMPORARY FILE WITH INSECURE PERMISSIONS CWE-378

The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the 'Manage firmware updates' role to escalate their privileges on the underlying OS level.

CVE-2024-39872 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.10 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.

CVE-2024-39873 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.11 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.

CVE-2024-39874 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.12 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected application allows authenticated, low privilege users with the 'Manage own remote connections' permission to retrieve details about other users and group memberships.

CVE-2024-39875 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.13 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

Affected applications do not properly handle log rotation. This could allow an unauthenticated remote attacker to cause a denial of service condition through resource exhaustion on the device.

CVE-2024-39876 has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Nuclear Reactors, Materials, and Waste
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SINEMA Remote Connect Server: Update to V3.2 SP1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-381581 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: RUGGEDCOM
• Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Incorrect Privilege Assignment, Exposure of Sensitive System Information to an Unauthorized Control Sphere

2. RISK EVALUATION

Successful exploitation could allow an attacker to obtain user credentials, the MACSEC key, or create a remote shell to the affected system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• RUGGEDCOM i800: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i800NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i801: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i801NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i802: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i802NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i803: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM i803NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M969: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M969NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M2100: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M2100NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M2200: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM M2200NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RMC30: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RMC30NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RMC8388 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RMC8388 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RMC8388NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RMC8388NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RP110: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RP110NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS400: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS400NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS401: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS401NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416NCv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416NCv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
• RUGGEDCOM RS416P: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416PNC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416PNCv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416PNCv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
• RUGGEDCOM RS416Pv2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416Pv2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
• RUGGEDCOM RS416v2 V4.X: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS416v2 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278, CVE-2024-39675)
• RUGGEDCOM RS900: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900 (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900 (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RS900G: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900G (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900G (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RS900GNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900GNC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900GNC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RS900GP: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900GPNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900L: All versions (CVE-2023-52237)
• RUGGEDCOM RS900LNC: All versions (CVE-2023-52237)
• RUGGEDCOM RS900M-GETS-C01: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900M-GETS-XX: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900M-STND-C01: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900M-STND-XX: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900MNC-GETS-C01: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900MNC-GETS-XX: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900MNC-STND-XX: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900MNC-STND-XX-C01: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900NC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS900NC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RS900W: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS910: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS910L: All versions (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS910LNC: All versions (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS910NC: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS910W: Versions prior to V4.3.10 (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS920L: All versions (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS920LNC: All versions (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS920W: All versions (CVE-2023-52237, CVE-2024-39675)
• RUGGEDCOM RS930L: All versions (CVE-2023-52237)
• RUGGEDCOM RS930LNC: All versions (CVE-2023-52237)
• RUGGEDCOM RS930W: All versions (CVE-2023-52237)
• RUGGEDCOM RS940G: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS940GNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS969: All versions (CVE-2023-52237)
• RUGGEDCOM RS969NC: All versions (CVE-2023-52237)
• RUGGEDCOM RS1600: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS1600F: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS1600FNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS1600NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS1600T: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS1600TNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000A: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000ANC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000H: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000HNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000T: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RS8000TNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG907R: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG908C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG909R: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG910C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG920P V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG920P V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG920PNC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG920PNC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2100: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2100 (32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2100 (32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2100NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2100NC(32M) V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2100NC(32M) V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2100P: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2100PNC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2200: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2200NC: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2288 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2288 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2288NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2288NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2300 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2300 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2300NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2300NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2300P V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2300P V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2300PNC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2300PNC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2488 V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2488 V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSG2488NC V4.X: Versions prior to V4.3.10 (CVE-2023-52237)
• RUGGEDCOM RSG2488NC V5.X: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSL910: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RSL910NC: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RST916C: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RST916P: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2024-38278)
• RUGGEDCOM RST2228: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2023-52238, CVE-2024-38278)
• RUGGEDCOM RST2228P: Versions prior to V5.9.0 (CVE-2023-52237, CVE-2023-52238, CVE-2024-38278)

3.2 Vulnerability Overview 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The web server of the affected devices allow a low privileged user to access hashes and password salts of all system's users, including admin users. An attacker could use the obtained information to brute force the passwords offline.

CVE-2023-52237 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-52237. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The web server of the affected systems leaks the MACSEC key in clear text to a logged in user. An attacker with the credentials of a low privileged user could retrieve the MACSEC key and access (decrypt) the ethernet frames sent by authorized recipients.

CVE-2023-52238 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-52238. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The affected products with IP forwarding enabled wrongly make available certain remote services in non-managed VLANs, even if these services are not intentionally activated. An attacker could leverage this vulnerability to create a remote shell to the affected system.

CVE-2024-38278 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38278. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

In some configurations, the affected products wrongly enable the Modbus service in non-managed VLANS. Only serial devices are affected by this vulnerability.

CVE-2024-39675 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38278. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Stephen Craven reported these vulnerabilities to Siemens.
Thomas Riedmaier from Siemens Energy reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has prepared fixed versions and recommends countermeasures for products where fixes are not available.

• (CVE-2024-39675) RUGGEDCOM RMC30, RUGGEDCOM RP110, RUGGEDCOM RS400, RUGGEDCOM RS401, RUGGEDCOM RS416, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS910, RUGGEDCOM RS910W, RUGGEDCOM RMC30NC, RUGGEDCOM RP110NC, RUGGEDCOM RS400NC, RUGGEDCOM RS401NC, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS910NC: Update to V4.3.10 or later version
• (CVE-2024-39675) RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X: Update to V5.9.0 or later version
• (CVE-2023-52237) RUGGEDCOM i800, RUGGEDCOM i801, RUGGEDCOM i802, RUGGEDCOM i803, RUGGEDCOM M2100, RUGGEDCOM M2200, RUGGEDCOM M969, RUGGEDCOM RMC30, RUGGEDCOM RMC8388 V4.X, RUGGEDCOM RP110, RUGGEDCOM RS1600, RUGGEDCOM RS1600F, RUGGEDCOM RS1600T, RUGGEDCOM RS400, RUGGEDCOM RS401, RUGGEDCOM RS416, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS8000, RUGGEDCOM RS8000A, RUGGEDCOM RS8000H, RUGGEDCOM RS8000T, RUGGEDCOM RS900, RUGGEDCOM RS900 (32M) V4.X, RUGGEDCOM RS900G, RUGGEDCOM RS900G (32M) V4.X, RUGGEDCOM RS900GP, RUGGEDCOM RS900W, RUGGEDCOM RS910, RUGGEDCOM RS910W, RUGGEDCOM RS940G, RUGGEDCOM RSG2100, RUGGEDCOM RSG2100 (32M) V4.X, RUGGEDCOM RSG2100P, RUGGEDCOM RSG2200, RUGGEDCOM RSG2288 V4.X, RUGGEDCOM RSG2300 V4.X, RUGGEDCOM RSG2300P V4.X, RUGGEDCOM RSG2488 V4.X, RUGGEDCOM RSG920P V4.X, RUGGEDCOM i800NC, RUGGEDCOM i801NC, RUGGEDCOM i802NC, RUGGEDCOM i803NC, RUGGEDCOM M2100NC, RUGGEDCOM M2200NC, RUGGEDCOM M969NC, RUGGEDCOM RMC30NC, RUGGEDCOM RMC8388NC V4.X, RUGGEDCOM RP110NC, RUGGEDCOM RS1600FNC, RUGGEDCOM RS1600NC, RUGGEDCOM RS1600TNC, RUGGEDCOM RS400NC, RUGGEDCOM RS401NC, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS8000ANC, RUGGEDCOM RS8000HNC, RUGGEDCOM RS8000NC, RUGGEDCOM RS8000TNC, RUGGEDCOM RS900GNC, RUGGEDCOM RS900GNC(32M) V4.X, RUGGEDCOM RS900GPNC, RUGGEDCOM RS900M-GETS-C01, RUGGEDCOM RS900M-GETS-XX, RUGGEDCOM RS900M-STND-C01, RUGGEDCOM RS900M-STND-XX, RUGGEDCOM RS900MNC-GETS-C01, RUGGEDCOM RS900MNC-GETS-XX, RUGGEDCOM RS900MNC-STND-XX, RUGGEDCOM RS900MNC-STND-XX-C01, RUGGEDCOM RS900NC, RUGGEDCOM RS900NC(32M) V4.X, RUGGEDCOM RS910NC, RUGGEDCOM RS940GNC, RUGGEDCOM RSG2100NC, RUGGEDCOM RSG2100NC(32M) V4.X, RUGGEDCOM RSG2100PNC, RUGGEDCOM RSG2200NC, RUGGEDCOM RSG2288NC V4.X, RUGGEDCOM RSG2300NC V4.X, RUGGEDCOM RSG2300PNC V4.X, RUGGEDCOM RSG2488NC V4.X, RUGGEDCOM RSG920PNC V4.X: Update to V4.3.10 or later version
• (CVE-2023-52237, CVE-2024-38278) RUGGEDCOM RMC8388 V5.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS900 (32M) V5.X, RUGGEDCOM RS900G (32M) V5.X, RUGGEDCOM RSG2100 (32M) V5.X, RUGGEDCOM RSG2288 V5.X, RUGGEDCOM RSG2300 V5.X, RUGGEDCOM RSG2300P V5.X, RUGGEDCOM RSG2488 V5.X, RUGGEDCOM RSG907R, RUGGEDCOM RSG908C, RUGGEDCOM RSG909R, RUGGEDCOM RSG910C, RUGGEDCOM RSG920P V5.X, RUGGEDCOM RSL910, RUGGEDCOM RST2228, RUGGEDCOM RST2228P, RUGGEDCOM RST916C, RUGGEDCOM RST916P, RUGGEDCOM RMC8388NC V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS900GNC(32M) V5.X, RUGGEDCOM RS900NC(32M) V5.X, RUGGEDCOM RSG2100NC(32M) V5.X, RUGGEDCOM RSG2288NC V5.X, RUGGEDCOM RSG2300NC V5.X, RUGGEDCOM RSG2300PNC V5.X, RUGGEDCOM RSG2488NC V5.X, RUGGEDCOM RSG920PNC V5.X, RUGGEDCOM RSL910NC: Update to V5.9.0 or later version
• (CVE-2023-52238) RUGGEDCOM RST2228, RUGGEDCOM RST2228P: Update to V5.9.0 or later version
• (CVE-2024-39675) RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W: Currently no fix is planned
• (CVE-2023-52237) RUGGEDCOM RS900L, RUGGEDCOM RS900LNC, RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W, RUGGEDCOM RS930L, RUGGEDCOM RS930LNC, RUGGEDCOM RS930W, RUGGEDCOM RS969, RUGGEDCOM RS969NC: Currently no fix is planned

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2023-52237, CVE-2023-52238) Disable the webserver if not required on the affected systems. Restrict the access to Port 80/tcp and 443/tcp to trusted IP address only
• (CVE-2024-38278) RUGGEDCOM RMC8388 V5.X, RUGGEDCOM RMC8388NC V5.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS900 (32M) V5.X, RUGGEDCOM RS900G (32M) V5.X, RUGGEDCOM RS900GNC(32M) V5.X, RUGGEDCOM RS900NC(32M) V5.X, RUGGEDCOM RSG2100 (32M) V5.X, RUGGEDCOM RSG2100NC(32M) V5.X, RUGGEDCOM RSG2288 V5.X, RUGGEDCOM RSG2288NC V5.X, RUGGEDCOM RSG2300 V5.X, RUGGEDCOM RSG2300NC V5.X, RUGGEDCOM RSG2300P V5.X, RUGGEDCOM RSG2300PNC V5.X, RUGGEDCOM RSG2488 V5.X, RUGGEDCOM RSG2488NC V5.X, RUGGEDCOM RSG907R, RUGGEDCOM RSG908C, RUGGEDCOM RSG909R, RUGGEDCOM RSG910C, RUGGEDCOM RSG920P V5.X, RUGGEDCOM RSG920PNC V5.X, RUGGEDCOM RSL910, RUGGEDCOM RSL910NC, RUGGEDCOM RST2228, RUGGEDCOM RST2228P, RUGGEDCOM RST916C, RUGGEDCOM RST916P: For CVE-2024-38278: Disable the IP Forwarding if not required on the affected system. Also note, the IP forwarding is disabled by default
• (CVE-2024-39675) RUGGEDCOM RMC30, RUGGEDCOM RMC30NC, RUGGEDCOM RP110, RUGGEDCOM RP110NC, RUGGEDCOM RS400, RUGGEDCOM RS400NC, RUGGEDCOM RS401, RUGGEDCOM RS401NC, RUGGEDCOM RS416, RUGGEDCOM RS416NC, RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416P, RUGGEDCOM RS416PNC, RUGGEDCOM RS416PNCv2 V4.X, RUGGEDCOM RS416PNCv2 V5.X, RUGGEDCOM RS416Pv2 V4.X, RUGGEDCOM RS416Pv2 V5.X, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS910, RUGGEDCOM RS910L, RUGGEDCOM RS910LNC, RUGGEDCOM RS910NC, RUGGEDCOM RS910W, RUGGEDCOM RS920L, RUGGEDCOM RS920LNC, RUGGEDCOM RS920W: Disable the Modbus Server if not required on the affected system. Restrict the access to Port 502/tcp to trusted IP address only. Also note, Modbus is disabled by default

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-170375 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: Teamcenter Visualization, JT2Go
• Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• Siemens JT2Go: Versions prior to v14.3.0.8
• Siemens Teamcenter Visualization V14.1: Versions prior to v14.1.0.14
• Siemens Teamcenter Visualization V14.2: Versions prior to v14.2.0.10
• Siemens Teamcenter Visualization V14.3: Versions prior to v14.3.0.8
• Siemens Teamcenter Visualization V2312: Versions prior to v2312.0002

3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-7066 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

MoyunSec reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends users update the follow products to the latest versions:

• Teamcenter Visualization V14.1: Update to V14.1.0.14 or later version
• Teamcenter Visualization V14.2: Update to V14.2.0.10 or later version
• JT2Go: Update to V14.3.0.8 or later version
• Teamcenter Visualization V14.3: Update to V14.3.0.8 or later version
• Teamcenter Visualization V2312: Update to V2312.0002 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Do not open untrusted PDF files in affected applications.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-722010 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• July 11, 2024: Initial Publication