As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: ST7 ScadaConnect
• Vulnerabilities: Integer Overflow or Wraparound, Double Free, Improper Certificate Validation, Inefficient Regular Expression Complexity, Improper Check for Unusual or Exceptional Conditions, Improper Input Validation, NULL Pointer Dereference, Missing Encryption of Sensitive Data, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information, cause a denial-of-service (DoS) condition, or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products, are affected:

• Siemens ST7 ScadaConnect (6NH7997-5DA10-0AA0): Versions prior to 1.1

3.2 Vulnerability Overview

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CVE-2022-40303 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 DOUBLE FREE CWE-415

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVE-2022-40304 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER CERTIFICATE VALIDATION CWE-295

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.

CVE-2023-0464 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 IMPROPER CERTIFICATE VALIDATION CWE-295

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.

CVE-2023-0465 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()function.Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

CVE-2023-0466 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.6 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (‘p’ parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the ‘-check’ option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.7 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn’t make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn’t check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the “-pubcheck” option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

CVE-2023-5678 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-21808 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24895 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24897 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-24936 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.12 IMPROPER INPUT VALIDATION CWE-20

.NET DLL Hijacking Remote Code Execution Vulnerability

CVE-2023-28260 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13 NULL POINTER DEREFERENCE CWE-476

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.

CVE-2023-28484 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Denial-of-Service Vulnerability

CVE-2023-29331 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.15 DOUBLE FREE CWE-415

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the ‘’ value).

CVE-2023-29469 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.16 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-32032 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H).

3.2.17 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-33126 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.18 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-33127 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.19 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-33128 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.20 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-33135 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.21 IMPROPER INPUT VALIDATION CWE-20

ASP.NET and Visual Studio Security Feature Bypass Vulnerability

CVE-2023-33170 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.22 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-35390 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.23 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability

CVE-2023-35391 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.24 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core Denial-of-Service Vulnerability

CVE-2023-36038 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.25 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-36049 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

3.2.26 IMPROPER INPUT VALIDATION CWE-20

Microsoft QUIC Denial-of-Service Vulnerability

CVE-2023-36435 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.27 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core – Security Feature Bypass Vulnerability

CVE-2023-36558 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.28 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36792 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.29 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36793 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.30 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36794 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.31 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36796 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.32 IMPROPER INPUT VALIDATION CWE-20

.NET Core and Visual Studio Denial-of-Service Vulnerability

CVE-2023-36799 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.33 IMPROPER INPUT VALIDATION CWE-20

Microsoft QUIC Denial-of-Service Vulnerability

CVE-2023-38171 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.34 IMPROPER INPUT VALIDATION CWE-20

.NET Core and Visual Studio Denial-of-Service Vulnerability

CVE-2023-38178 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.35 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Denial-of-Service Vulnerability

CVE-2023-38180 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.36 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial-of-Service (DoS) via supplying a crafted XML file. NOTE: the vendor’s position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVE-2023-39615 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.37 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

The HTTP/2 protocol allows a denial-of-service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-44487 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• ST7 ScadaConnect (6NH7997-5DA10-0AA0): Update to V1.1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-341067 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.4
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix Applications
• Vulnerability: Improper Privilege Management

2. RISK EVALUATION

Successful exploitation requires to guess the identification of a target role which contains the elevated access rights.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products, are affected:

• Siemens Mendix Applications using Mendix 9: Versions prior to V9.24.22 and after V9.3.0
• Siemens Mendix Applications using Mendix 10: Versions prior to V10.11.0
• Siemens Mendix Applications using Mendix 10 (V10.6): Versions prior V10.6.9

3.2 Vulnerability Overview

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.

CVE-2024-33500 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-33500. A base score of 7.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Achmea Security Assessment Team reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends users update the product to following versions:

• Mendix Applications using Mendix 9: Update to V9.24.22 or later version
• Mendix Applications using Mendix 10: Update to V10.11.0 or later version

• Mendix Applications using Mendix 10 (V10.6): Update to V10.6.9 or later version

  Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Set the runtime setting StrictReferenceChecks to false; note however, that this comes at the price of making the reference checks less secure

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-540640 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Motorola Solutions
• Equipment: Vigilant Fixed LPR Coms Box (BCAV1F2-C600)
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Cleartext Storage in a File or on Disk, Use of Hard-coded Credentials, Insufficiently Protected Credentials, Missing Encryption of Sensitive Data, Authentication Bypass by Capture-replay

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with the device, access sensitive information and credentials, or perform a replay attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Motorola Vigilant License Plate Readers are affected:

• Vigilant Fixed LPR Coms Box (BCAV1F2-C600): Versions 3.1.171.9 and prior

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.

CVE-2024-38279 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-38279. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 CLEARTEXT STORAGE IN A FILE OR ON DISK CWE-313

An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.

CVE-2024-38280 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38280. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF HARD-CODED CREDENTIALS CWE-798

An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device.

CVE-2024-38281 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38281. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Utilizing default credentials, an attacker is able to log into the camera’s operating system which could allow changes to be made to the operations or shutdown the camera requiring a physical reboot of the system.

CVE-2024-38282 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38282. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Sensitive customer information is stored in the device without encryption.

CVE-2024-38283 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-38283. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls.

CVE-2024-38284 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38284. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.7 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Logs storing credentials are insufficiently protected and can be decoded through the use of open source tools.

CVE-2024-38285 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38285. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
• COUNTRIES/AREAS DEPLOYED: United States
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

The Michigan State Police Michigan Cyber Command Center (MC3) reported these vulnerabilities to CISA.

4. MITIGATIONS

Motorola Solutions recommends the following for each identified vulnerability:

CVE-2024-38279:

• Use secure boot implementation with an edit-resistant GRUB partition.
• Additional mitigation consists in limiting the physical access to the device by following the best practices for device mounting.

Edit-resistant grub partition has been remediated for all vulnerable systems. Motorola Solutions
will release a secure boot implementation in Fall 2024. All customers will receive the update
through OTA (over the air) mechanisms. No further actions are required by customers.

CVE-2024-38280:

• Apply encryption to all Criminal Justice Information (CJI) data.
• Apply full disk encryption with LUKS encryption standards and add password protection
  to the GRUB Bootloader.
• Perform column-level encryption for sensitive data in the database.

All devices shipped after May 10, 2024 are already using full disk encryption. All devices that
are not able to have full disk encryption applied have had all CJI data encrypted. No further
actions are required by customers.

CVE-2024-38281:

• Remove the hard-coded credential to access the wireless access point and disable the
  access point if not needed.
• Set a unique SSID and password if the access point is needed.

Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.

CVE-2024-38282:

• Remove the hard coded credentials.
• Use a unique CJIS compliant password per device.

Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.

CVE-2024-38283:

• Remove the hotlist data from the device.

Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No
further actions are required by customers.

CVE-2024-38284:

• Delete the log files.
• Install updated software not logging the credentialed web request.

Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.

CVE-2024-38285:

• Delete the log files.

Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.4
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix Applications
• Vulnerability: Improper Privilege Management

2. RISK EVALUATION

Successful exploitation requires to guess the identification of a target role which contains the elevated access rights.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products, are affected:

• Siemens Mendix Applications using Mendix 9: Versions prior to V9.24.22 and after V9.3.0
• Siemens Mendix Applications using Mendix 10: Versions prior to V10.11.0
• Siemens Mendix Applications using Mendix 10 (V10.6): Versions prior V10.6.9

3.2 Vulnerability Overview

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.

CVE-2024-33500 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-33500. A base score of 7.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Achmea Security Assessment Team reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends users update the product to following versions:

• Mendix Applications using Mendix 9: Update to V9.24.22 or later version
• Mendix Applications using Mendix 10: Update to V10.11.0 or later version

• Mendix Applications using Mendix 10 (V10.6): Update to V10.6.9 or later version

  Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Set the runtime setting StrictReferenceChecks to false; note however, that this comes at the price of making the reference checks less secure

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-540640 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Rockwell Automation
• Equipment: FactoryTalk View SE
• Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow low-privilege users to edit scripts, bypassing access control lists, and potentially gain further access within the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of FactoryTalk Software are affected:

• FactoryTalk View SE: v12.0

3.2 Vulnerability Overview

3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732

A privilege escalation vulnerability exists in FactoryTalk View SE. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

CVE-2024-37369 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37369. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has corrected this problem in V14.0 and later

Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.

• Use the Secure Install option when installing FactoryTalk Services Platform.
• Security Best Practices

For more information, see Rockwell Automation’s security advisory

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SINEC Traffic Analyzer
• Vulnerabilities: Out-of-bounds Write, Insufficient Session Expiration, Cross-Site Request Forgery (CSRF), Insufficiently Protected Credentials, Exposed Dangerous Method or Function, Cleartext Transmission of Sensitive Information, Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, disclose sensitive information, or modify files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): Versions prior to V1.2

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

CVE-2022-41742 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

3.2.2 INSUFFICIENT SESSION EXPIRATION CWE-613

The affected application does not expire the session. This could allow an attacker to get unauthorized access.

CVE-2024-35206 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-35206. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)

3.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The web interface of the affected devices are vulnerable to Cross-Site Request Forgery (CSRF) attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user.

CVE-2024-35207 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-35207. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

3.2.4 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected web server stored the password in cleartext. This could allow attacker in a privileged position to obtain access passwords.

CVE-2024-35208 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-35208. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L)

3.2.5 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

The affected web server is allowing HTTP methods like PUT and DELETE. This could allow an attacker to modify unauthorized files.

CVE-2024-35209 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-35209. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N)

3.2.6 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected web server is not enforcing HSTS. This could allow an attacker to perform downgrade attacks exposing confidential information.

CVE-2024-35210 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-35210. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

3.2.7 SENSITIVE COOKIE IN HTTPS SESSION WITHOUT ‘SECURE’ ATTRIBUTE CWE-614

The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”).

CVE-2024-35211 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-35211. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

3.2.8 IMPROPER INPUT VALIDATION CWE-20

The affected application lacks input validation due to which an attacker can gain access to the Database entries.

CVE-2024-35212 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-35212. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): Update to V1.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-196737 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 13, 2024: Initial Publication

Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.

If you suspect you are a target of an impersonation scammer claiming to be a CISA employee: 
•    Do not pay the caller.
•    Take note of the phone number calling you.
•    Hang up immediately.
•    Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.
 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.0
• ATTENTION: Low attack complexity
• Vendor: AVEVA
• Equipment: PI Asset Framework Client
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow malicious code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:

• PI Asset Framework Client: 2023
• PI Asset Framework Client: 2018 SP3 P04 and prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

CVE-2024-3467 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3467. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

• (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:
  From OSI Soft Customer Portal, search for “Asset Framework” and select “PI Asset Framework (AF) Client 2023 Patch 1” or later.
• (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:
  From OSI Soft Customer Portal, search for “Asset Framework” and select either “PI Asset Framework (AF) Client 2018 SP3 Patch 5” or later.

AVEVA further recommends users follow general defensive measures:

• Run PI System Explorer as a least privilege interactive account when possible.
• Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.

For additional information please refer to AVEVA-2024-004

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• June 11, 2024: Initial Publication