Category: CISA Alerts

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC iQ-F Series
Vulnerability: Improper Validation of Specified Type of Input

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in Ethernet communication on the module. A system reset of the module is required for recovery.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports that the following versions of MELSEC iQ-F Series Ethernet module and EtherNet/IP module are affected:

MELSEC iQ-F Series FX5-ENET: version 1.100 and later
MELSEC iQ-F Series FX5-ENET/IP: version 1.100 to 1.104

3.2 Vulnerability Overview
3.2.1 Improper Validation of Specified Type of Input CWE-1287
A denial-of-service vulnerability due to improper validation of a specified type of input exists in MELSEC iQ-F Ethernet Module and EtherNet/IP Module.
CVE-2024-8403 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Electric has fixed this issue in MELSEC iQ-F Series FX5-ENET/IP version 1.106 or later. The firmware update file can be found on Mitsubishi Electric’s download page. Refer to “9 FIRMWARE UPDATE FUNCTION” in the “MELSEC iQ-F FX5 User’s Manual (Application)” for information on how to update the firmware.
Mitsubishi Electric recommends that users take the following mitigations/workarounds to minimize the risk of exploiting this vulnerability:

Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to the product, as well as to computers and network devices located within the same network as the product.
Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: MELSEC iQ-F FX5 User’s Manual (Communication) “13.1 IP Filter Function”

For specific update instructions and additional details see the Mitsubishi Electric advisory.
Please contact your local Mitsubishi Electric representative.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 19, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric Corporation
• Equipment: MELSEC iQ-F Series
• Vulnerability: Improper Validation of Specified Type of Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in Ethernet communication on the module. A system reset of the module is required for recovery.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following versions of MELSEC iQ-F Series Ethernet module and EtherNet/IP module are affected:

• MELSEC iQ-F Series FX5-ENET: version 1.100 and later
• MELSEC iQ-F Series FX5-ENET/IP: version 1.100 to 1.104

3.2 Vulnerability Overview

3.2.1 Improper Validation of Specified Type of Input CWE-1287

A denial-of-service vulnerability due to improper validation of a specified type of input exists in MELSEC iQ-F Ethernet Module and EtherNet/IP Module.

CVE-2024-8403 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has fixed this issue in MELSEC iQ-F Series FX5-ENET/IP version 1.106 or later. The firmware update file can be found on Mitsubishi Electric’s download page. Refer to “9 FIRMWARE UPDATE FUNCTION” in the “MELSEC iQ-F FX5 User’s Manual (Application)” for information on how to update the firmware.

Mitsubishi Electric recommends that users take the following mitigations/workarounds to minimize the risk of exploiting this vulnerability:

• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Restrict physical access to the product, as well as to computers and network devices located within the same network as the product.
• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
• Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: MELSEC iQ-F FX5 User’s Manual (Communication) “13.1 IP Filter Function”

For specific update instructions and additional details see the Mitsubishi Electric advisory.

Please contact your local Mitsubishi Electric representative.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 19, 2024: Initial Publication

 Read More

 ​CISA released one Industrial Control Systems (ICS) advisory on November 19, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-324-01 Mitsubishi Electric MELSEC iQ-F Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released one Industrial Control Systems (ICS) advisory on November 19, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-324-01 Mitsubishi Electric MELSEC iQ-F Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability

Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012 for additional information. 
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
• CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
• CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability

Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012 for additional information. 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
• CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MSM
Vulnerabilities: Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition (‘Infinite Loop’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to impact the confidentiality, integrity or availability of the MSM.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Hitachi Energy MSM, a condition monitoring system, are affected:

MSM: Versions 2.2.8 and earlier

3.2 Vulnerability Overview
3.2.1 Missing Release of Resource after Effective Lifetime CWE-772
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
CVE-2024-2398 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
3.2.2 Loop with Unreachable Exit Condition (‘Infinite Loop’) CWE-835
A denial-of-service vulnerability exists in the processing of multipart/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.
CVE-2019-5097 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends that users apply the update as soon as it is available. in the meantime, Hitachi Energy recommends the general mitigation factors/workarounds given below are followed.
MSM is not intrinsically designed and intended to be directly connected to the internet. Please disconnect the device from any internet facing network, if any installation has performed the same. Hitachi Energy suggests adopting user access management and any state-of-the-art antivirus protection engines equipped with the latest signature rules on the computers that have installed and operating the MSM Client application. As an example, please use the operating system (OS) inbuilt user access management functionality, if supported, to limit the probability of unauthorized access followed by rogue commands via MSM Client application.
Also, Hitachi Energy recommends following the hardening guidelines published by “The Center for Internet Security (CIS)” to protect the host operating system of computers that connects with MSM. This measure would then prevent the lateral movement of the attack vector into MSM via these connected devices. Some examples for Windows based computers are listed below:
1) CIS Microsoft Windows Desktop Benchmarks2) CIS Microsoft Windows Server Benchmarks
Hitachi Energy has provided the additional following security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network:

Physically protect process control systems from direct access by unauthorized personnel.
Do not connect directly to the Internet.
Separate from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy’s security advisory 8DBD000205
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

November 14, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: MSM
• Vulnerabilities: Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition (‘Infinite Loop’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to impact the confidentiality, integrity or availability of the MSM.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy MSM, a condition monitoring system, are affected:

• MSM: Versions 2.2.8 and earlier

3.2 Vulnerability Overview

3.2.1 Missing Release of Resource after Effective Lifetime CWE-772

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

CVE-2024-2398 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

3.2.2 Loop with Unreachable Exit Condition (‘Infinite Loop’) CWE-835

A denial-of-service vulnerability exists in the processing of multipart/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.

CVE-2019-5097 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends that users apply the update as soon as it is available. in the meantime, Hitachi Energy recommends the general mitigation factors/workarounds given below are followed.

MSM is not intrinsically designed and intended to be directly connected to the internet. Please disconnect the device from any internet facing network, if any installation has performed the same. Hitachi Energy suggests adopting user access management and any state-of-the-art antivirus protection engines equipped with the latest signature rules on the computers that have installed and operating the MSM Client application. As an example, please use the operating system (OS) inbuilt user access management functionality, if supported, to limit the probability of unauthorized access followed by rogue commands via MSM Client application.

Also, Hitachi Energy recommends following the hardening guidelines published by “The Center for Internet Security (CIS)” to protect the host operating system of computers that connects with MSM. This measure would then prevent the lateral movement of the attack vector into MSM via these connected devices. Some examples for Windows based computers are listed below:

1) CIS Microsoft Windows Desktop Benchmarks
2) CIS Microsoft Windows Server Benchmarks

Hitachi Energy has provided the additional following security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network:

• Physically protect process control systems from direct access by unauthorized personnel.
• Do not connect directly to the Internet.
• Separate from other networks by means of a firewall system that has a minimal number of ports exposed.
• Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy’s security advisory 8DBD000205

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC CP
Vulnerability: Incorrect Authorization

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain access to the filesystem.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of SIMATIC CP is affected:

SIMATIC CP1543-1: V4.0 (6GK7543-1AX10-0XE0)

3.2 Vulnerability Overview
3.2.1 INCORRECT AUTHORIZATION CWE-863
Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem.
CVE-2024-50310 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C).
A CVSS v4 score has also been calculated for CVE-2024-50310. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

SIMATIC CP1543-1 V4.0 (6GK7543-1AX10-0XE0): Update to SIMATIC CP1543-1 V4.0.50 or later versions
Restrict access to Port 8448/tcp to trusted systems only

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-654798 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 14, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC CP
• Vulnerability: Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain access to the filesystem.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of SIMATIC CP is affected:

• SIMATIC CP1543-1: V4.0 (6GK7543-1AX10-0XE0)

3.2 Vulnerability Overview

3.2.1 INCORRECT AUTHORIZATION CWE-863

Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain access to the filesystem.

CVE-2024-50310 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C).

A CVSS v4 score has also been calculated for CVE-2024-50310. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

• SIMATIC CP1543-1 V4.0 (6GK7543-1AX10-0XE0): Update to SIMATIC CP1543-1 V4.0.50 or later versions
• Restrict access to Port 8448/tcp to trusted systems only

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-654798 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3.1 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: 2N
Equipment: Access Commander
Vulnerabilities: Path Traversal, Insufficient Verification of Data Authenticity

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to escalate their privileges, execute arbitrary code, or gain root access to the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of 2N Access Commander, an IP access control system, are affected:
Access Commander: versions 3.1.1.2 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker to write files on the filesystem to achieve arbitrary remote code execution.
CVE-2024-47253 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.
CVE-2024-47254 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
3.2.3 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions.
CVE-2024-47255 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Government Services and Facilities, Commercial Facilities, Communications, Information Technology
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Noam Moshe of Claroty Research – Team82 reported these vulnerabilities to CISA.
4. MITIGATIONS
2N has released the following to fix these vulnerabilities:

Access Commander: Update to Access Commander version 3.2 from the 2N download center

Please see 2N’s security advisory for additional details.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

November 19, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3.1 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: 2N
• Equipment: Access Commander
• Vulnerabilities: Path Traversal, Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate their privileges, execute arbitrary code, or gain root access to the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of 2N Access Commander, an IP access control system, are affected:

Access Commander: versions 3.1.1.2 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker to write files on the filesystem to achieve arbitrary remote code execution.

CVE-2024-47253 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.

CVE-2024-47254 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.3 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions.

CVE-2024-47255 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Government Services and Facilities, Commercial Facilities, Communications, Information Technology
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Noam Moshe of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

2N has released the following to fix these vulnerabilities:

• Access Commander: Update to Access Commander version 3.2 from the 2N download center

Please see 2N’s security advisory for additional details.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 19, 2024: Initial Publication

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: TeleControl Server
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of TeleControl Server are affected:

PP TeleControl Server Basic 8 to 32 V3.1 (6NH9910-0AA31-0AB1): versions prior to V3.1.2.1
PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1): versions prior to V3.1.2.1
PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1): versions prior to V3.1.2.1
PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1): versions prior to V3.1.2.1
PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1): versions prior to V3.1.2.1
TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0): versions prior to V3.1.2.1
TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0): versions prior to V3.1.2.1
TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0): versions prior to V3.1.2.1
TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0): versions prior to V3.1.2.1
TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0): versions prior to V3.1.2.1
TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0): versions prior to V3.1.2.1
TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1): versions prior to V3.1.2.1
TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0): versions prior to V3.1.2.1

3.2 Vulnerability Overview
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.
CVE-2024-44102 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).
A CVSS v4 score has also been calculated for CVE-2024-44102. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Tenable reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens recommends users of the affected products update to V3.1.2.1 or later versions.
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Disable redundancy, if not used
Restrict access to the affected systems to trusted IP addresses only

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-454789 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 14, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: TeleControl Server
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TeleControl Server are affected:

• PP TeleControl Server Basic 8 to 32 V3.1 (6NH9910-0AA31-0AB1): versions prior to V3.1.2.1
• PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1): versions prior to V3.1.2.1
• PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1): versions prior to V3.1.2.1
• PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1): versions prior to V3.1.2.1
• PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1): versions prior to V3.1.2.1
• TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0): versions prior to V3.1.2.1
• TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0): versions prior to V3.1.2.1
• TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0): versions prior to V3.1.2.1
• TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0): versions prior to V3.1.2.1
• TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0): versions prior to V3.1.2.1
• TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0): versions prior to V3.1.2.1
• TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1): versions prior to V3.1.2.1
• TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0): versions prior to V3.1.2.1

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.

CVE-2024-44102 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

A CVSS v4 score has also been calculated for CVE-2024-44102. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tenable reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens recommends users of the affected products update to V3.1.2.1 or later versions.

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• Disable redundancy, if not used
• Restrict access to the affected systems to trusted IP addresses only

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-454789 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Baxter
Equipment: Life2000 Ventilation System
Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of Hard-Coded Credentials, Improper Physical Access Control, Download of Code Without Integrity Check, On-Chip Debug and Test Interface With Improper Access Control, Missing Support for Security Features in On-Chip Fabrics or Buses, Missing Authentication for Critical Function, Insufficient Logging

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could lead to information disclosure and/or disruption of the device’s function without detection.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Baxter (formerly Hillrom) products are affected:

Life2000 Ventilation System: Version 06.08.00.00 and prior

3.2 Vulnerability Overview
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION (CWE-319)
Improper data protection on the ventilator’s serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.
CVE-2024-9834 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-9834. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS (CWE-307)
There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure..
CVE-2024-9832 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-9832. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 USE OF HARD-CODED CREDENTIALS (CWE-798)
The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges.
CVE-2024-48971 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48971. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.4 IMPROPER PHYSICAL ACCESS CONTROL (CWE-1263)
The debug port on the ventilator’s serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.
CVE-2024-48973 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48973. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.5 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK (CWE-494)
The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device’s configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure.
CVE-2024-48974 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48974. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.6 ON-CHIP DEBUG AND TEST INTERFACE WITH IMPROPER ACCESS CONTROL (CWE-1191)
The ventilator’s microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure.
CVE-2024-48970 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48970. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.7 MISSING SUPPORT FOR SECURITY FEATURES IN ON-CHIP FABRICS OR BUSES (CWE-1318)
The flash memory read-out protection feature on the microcontroller does not block memory access via the ICode bus. Attackers can exploit this in conjunction with certain CPU exception handling behaviors to gain knowledge of how the onboard flash memory is organized and ultimately bypass read-out protection to expose memory contents.
CVE-2020-8004 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2020-8004. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.8 MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE-306)
The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator’s settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.
CVE-2024-48966 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48966. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.9 INSUFFICIENT LOGGING (CWE-778)
The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator and/or the Service PC could, without detection, make unauthorized changes to ventilator settings that result in unauthorized disclosure of information and/or have unintended impacts on device performance.
CVE-2024-48967 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48967. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Baxter reported these vulnerabilities to CISA.
4. MITIGATIONS
Baxter plans to issue a follow-up announcement in Q2 2025 regarding the Life2000 vulnerabilities described in this disclosure.
Baxter is unaware of any exploitation of these vulnerabilities and/or the compromise of personal or health data.
Baxter recommends that users of the Life2000 Ventilation System not leave their ventilators unattended in public or unsecured areas. Maintaining physical possession and control of the ventilator reduces the likelihood of a malicious actor gaining access to the device.
For more information, refer to Baxter’s Product Security and Responsible Disclosures web page.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

November 14, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Baxter
• Equipment: Life2000 Ventilation System
• Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of Hard-Coded Credentials, Improper Physical Access Control, Download of Code Without Integrity Check, On-Chip Debug and Test Interface With Improper Access Control, Missing Support for Security Features in On-Chip Fabrics or Buses, Missing Authentication for Critical Function, Insufficient Logging

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to information disclosure and/or disruption of the device’s function without detection.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Baxter (formerly Hillrom) products are affected:

• Life2000 Ventilation System: Version 06.08.00.00 and prior

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION (CWE-319)

Improper data protection on the ventilator’s serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-9834 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9834. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS (CWE-307)

There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure..

CVE-2024-9832 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9832. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 USE OF HARD-CODED CREDENTIALS (CWE-798)

The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges.

CVE-2024-48971 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48971. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 IMPROPER PHYSICAL ACCESS CONTROL (CWE-1263)

The debug port on the ventilator’s serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-48973 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48973. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.5 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK (CWE-494)

The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device’s configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure.

CVE-2024-48974 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48974. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.6 ON-CHIP DEBUG AND TEST INTERFACE WITH IMPROPER ACCESS CONTROL (CWE-1191)

The ventilator’s microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure.

CVE-2024-48970 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48970. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.7 MISSING SUPPORT FOR SECURITY FEATURES IN ON-CHIP FABRICS OR BUSES (CWE-1318)

The flash memory read-out protection feature on the microcontroller does not block memory access via the ICode bus. Attackers can exploit this in conjunction with certain CPU exception handling behaviors to gain knowledge of how the onboard flash memory is organized and ultimately bypass read-out protection to expose memory contents.

CVE-2020-8004 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2020-8004. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE-306)

The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator’s settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-48966 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48966. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.9 INSUFFICIENT LOGGING (CWE-778)

The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator and/or the Service PC could, without detection, make unauthorized changes to ventilator settings that result in unauthorized disclosure of information and/or have unintended impacts on device performance.

CVE-2024-48967 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48967. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: United States
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Baxter reported these vulnerabilities to CISA.

4. MITIGATIONS

Baxter plans to issue a follow-up announcement in Q2 2025 regarding the Life2000 vulnerabilities described in this disclosure.

Baxter is unaware of any exploitation of these vulnerabilities and/or the compromise of personal or health data.

Baxter recommends that users of the Life2000 Ventilation System not leave their ventilators unattended in public or unsecured areas. Maintaining physical possession and control of the ventilator reduces the likelihood of a malicious actor gaining access to the device.

For more information, refer to Baxter’s Product Security and Responsible Disclosures web page.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Mendix Runtime
Vulnerability: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthenticated remote attackers to circumvent default account lockout measures.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mendix Runtime are affected:

Mendix Runtime: V8
Mendix Runtime: V9
Mendix Runtime: V10
Mendix Runtime: V10.6
Mendix Runtime: V10.12

3.2 Vulnerability Overview
3.2.1 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362
The basic authentication implementation of affected applications contains a race condition vulnerability, which could allow unauthenticated remote attackers to circumvent default account lockout measures
CVE-2024-50313 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-50313. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

Mendix Runtime V8: Currently no fix is planned
Mendix Runtime V9: Update to Mendix Runtime V9.24.29 or later versions
Mendix Runtime V10: Update to Mendix Runtime V10.16.0 or later versions
Mendix Runtime V10.6: Update to Mendix Runtime V10.6.15 or later versions
Mendix Runtime V10.12: Update to Mendix Runtime V10.12.7 or later versions
Do not use basic authentication, but setup an alternative authentication module (e.g. SAML, MendixSSO), or your own Identity Provider (IDP)

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-914892 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 14, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Mendix Runtime
• Vulnerability: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow unauthenticated remote attackers to circumvent default account lockout measures.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mendix Runtime are affected:

• Mendix Runtime: V8
• Mendix Runtime: V9
• Mendix Runtime: V10
• Mendix Runtime: V10.6
• Mendix Runtime: V10.12

3.2 Vulnerability Overview

3.2.1 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362

The basic authentication implementation of affected applications contains a race condition vulnerability, which could allow unauthenticated remote attackers to circumvent default account lockout measures

CVE-2024-50313 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-50313. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

• Mendix Runtime V8: Currently no fix is planned
• Mendix Runtime V9: Update to Mendix Runtime V9.24.29 or later versions
• Mendix Runtime V10: Update to Mendix Runtime V10.16.0 or later versions
• Mendix Runtime V10.6: Update to Mendix Runtime V10.6.15 or later versions
• Mendix Runtime V10.12: Update to Mendix Runtime V10.12.7 or later versions
• Do not use basic authentication, but setup an alternative authentication module (e.g. SAML, MendixSSO), or your own Identity Provider (IDP)

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-914892 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication

 Read More