Category: CISA Alerts

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Automation License Manager
Vulnerability: Integer Overflow or Wraparound

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service preventing legitimate users from using the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens Automation License Manager, are affected:

Automation License Manager V5: All versions
Automation License Manager V6.0: All versions
Automation License Manager V6.2: All versions prior to V6.2 Upd3

3.2 Vulnerability Overview
3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Affected applications do not properly validate certain fields in incoming network packets on port 4410/tcp. This could allow an unauthenticated remote attacker to cause an integer overflow and crash of the application. This denial of service condition could prevent legitimate users from using subsequent products that rely on the affected application for license verification.
CVE-2024-44087 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-44087. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Automation License Manager V5: Currently no fix is planned
Automation License Manager V6.0: Currently no fix is planned
Automation License Manager V6.2: Update to V6.2 Upd3 or later version

On the Automation License Manager settings menu disable “Allow Remote Connections”
If remote connections are needed, limit remote access to port 4410/tcp to trusted systems only
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-103653 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

September 12, 2024: Initial Publication

  

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Automation License Manager
Vulnerability: Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service preventing legitimate users from using the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Automation License Manager, are affected:

Automation License Manager V5: All versions
Automation License Manager V6.0: All versions
Automation License Manager V6.2: All versions prior to V6.2 Upd3

3.2 Vulnerability Overview

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

Affected applications do not properly validate certain fields in incoming network packets on port 4410/tcp. This could allow an unauthenticated remote attacker to cause an integer overflow and crash of the application. This denial of service condition could prevent legitimate users from using subsequent products that rely on the affected application for license verification.

CVE-2024-44087 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-44087. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Automation License Manager V5: Currently no fix is planned
Automation License Manager V6.0: Currently no fix is planned
Automation License Manager V6.2: Update to V6.2 Upd3 or later version

On the Automation License Manager settings menu disable “Allow Remote Connections”

If remote connections are needed, limit remote access to port 4410/tcp to trusted systems only

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-103653 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 12, 2024: Initial Publication

 

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.2
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: SIMATIC, SIPLUS, and TIM
Vulnerabilities: NULL Pointer Dereference

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens are affected:

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-7 LTE: Versions prior to V3.5.20
SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): Versions prior to V3.5.20
SIMATIC HMI Comfort Panels (incl. SIPLUS variants): All versions
SIMATIC IPC DiagBase: All versions
SIMATIC IPC DiagMonitor: All versions
SIMATIC WinCC Runtime Advanced: All versions
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Versions prior to V2.4.8
TIM 1531 IRC (6GK7543-1MX00-0XE0): Versions prior to V2.4.8

3.2 Vulnerability Overview
3.2.1 NULL POINTER DEREFERENCE CWE-476
The web server of the affected devices do not properly handle certain requests, causing a timeout in the watchdog, which could lead to the clean up of pointers. This could allow a remote attacker to cause a denial of service condition in the system.
CVE-2023-28827 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-28827. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.2 NULL POINTER DEREFERENCE CWE-476
The web server of the affected devices do not properly handle the shutdown or reboot request, which could lead to the clean up of certain resources. This could allow a remote attacker with elevated privileges to cause a denial of service condition in the system.
CVE-2023-30755 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-30755. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.3 NULL POINTER DEREFERENCE CWE-476
The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference. This could allow a remote attacker with no privileges to cause a denial of service condition in the system.
CVE-2023-30756 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-30756. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing,
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Disable the web server of the affected system
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0), TIM 1531 IRC (6GK7543-1MX00-0XE0): Update to V2.4.8 or later version
SIMATIC CP 1242-7 V2 (incl. SIPLUS variants), SIMATIC CP 1243-1 (incl. SIPLUS variants), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants), SIMATIC CP 1243-7 LTE, SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): Update to V3.5.20 or later version
Disable the web server of the affected system

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-423808 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY

September 12, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 
 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.2
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: SIMATIC, SIPLUS, and TIM
Vulnerabilities: NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants): Versions prior to V3.5.20
SIMATIC CP 1243-7 LTE: Versions prior to V3.5.20
SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): Versions prior to V3.5.20
SIMATIC HMI Comfort Panels (incl. SIPLUS variants): All versions
SIMATIC IPC DiagBase: All versions
SIMATIC IPC DiagMonitor: All versions
SIMATIC WinCC Runtime Advanced: All versions
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Versions prior to V2.4.8
TIM 1531 IRC (6GK7543-1MX00-0XE0): Versions prior to V2.4.8

3.2 Vulnerability Overview

3.2.1 NULL POINTER DEREFERENCE CWE-476

The web server of the affected devices do not properly handle certain requests, causing a timeout in the watchdog, which could lead to the clean up of pointers. This could allow a remote attacker to cause a denial of service condition in the system.

CVE-2023-28827 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-28827. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 NULL POINTER DEREFERENCE CWE-476

The web server of the affected devices do not properly handle the shutdown or reboot request, which could lead to the clean up of certain resources. This could allow a remote attacker with elevated privileges to cause a denial of service condition in the system.

CVE-2023-30755 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-30755. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 NULL POINTER DEREFERENCE CWE-476

The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference. This could allow a remote attacker with no privileges to cause a denial of service condition in the system.

CVE-2023-30756 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-30756. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing,
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Disable the web server of the affected system
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0), TIM 1531 IRC (6GK7543-1MX00-0XE0): Update to V2.4.8 or later version
SIMATIC CP 1242-7 V2 (incl. SIPLUS variants), SIMATIC CP 1243-1 (incl. SIPLUS variants), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants), SIMATIC CP 1243-7 LTE, SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): Update to V3.5.20 or later version
Disable the web server of the affected system

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-423808 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

September 12, 2024: Initial Publication
 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Server
Vulnerability: Session Fixation

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to circumvent the additional multi-factor authentication for user session establishment.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following versions of SINEMA Remote Connect Server, a remote network management platform, are affected:

SINEMA Remote Connect Server: versions prior to V3.2 SP2

3.2 Vulnerability Overview
3.2.1 SESSION FIXATION CWE-384
The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi-factor authentication for user session establishment.
CVE-2024-42345 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-42345. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released a new version for SINEMA Remote Connect Client and recommends to update to V3.2 SP2 or later version.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-869574 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

September 12, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Server
Vulnerability: Session Fixation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to circumvent the additional multi-factor authentication for user session establishment.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following versions of SINEMA Remote Connect Server, a remote network management platform, are affected:

SINEMA Remote Connect Server: versions prior to V3.2 SP2

3.2 Vulnerability Overview

3.2.1 SESSION FIXATION CWE-384

The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi-factor authentication for user session establishment.

CVE-2024-42345 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-42345. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released a new version for SINEMA Remote Connect Client and recommends to update to V3.2 SP2 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-869574 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 12, 2024: Initial Publication
 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SINUMERIK systems
Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local authenticated user with low privileges to read passwords and use it to impersonate a user with higher privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens SINUMERIK systems are affected:

SINUMERIK 828D V4: All versions prior to V4.95 SP3
SINUMERIK 840D sl V4: All versions prior to V4.95 SP3 in connection with using Create MyConfig (CMC) V4.8 SP1 HF6 and prior
SINUMERIK ONE prior to V6.23: All versions prior to V6.23 in connection with using Create MyConfig (CMC) V6.6 and prior
SINUMERIK ONE prior to V6.15 SP4: All versions prior to V6.15 SP4 in connection with using Create MyConfig (CMC) V6.6 and prior

3.2 Vulnerability Overview
3.2.1 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532
Affected systems, that have been provisioned with Create MyConfig (CMC), contain a Insertion of Sensitive Information into Log File vulnerability. This could allow a local authenticated user with low privileges to read sensitive information and thus circumvent access restrictions.
CVE-2024-43781 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-43781. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

SINUMERIK 828D V4: Update to V4.95 SP3 or later version
SINUMERIK 840D sl V4: Update to V4.95 SP3 or later version
SINUMERIK ONE prior to V6.23: Update to V6.23 or later version
SINUMERIK ONE prior to V6.15 SP4: Update to V6.15 SP4 or later version

Delete the file(s) manually (after using CMC):

on an NCU: /card/user/sinumerik/hmi/log/sltrc/uptrace.out
on an IPC: C:ProgramDataSiemensMotionControlusersinumerikhmilogsltrcuptrace.out

and the corresponding backup of the tracefile, uptrace.out.bak. Replace trace configuration to switch off trace for the future.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-097786 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

September 12, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 
 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SINUMERIK systems
Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local authenticated user with low privileges to read passwords and use it to impersonate a user with higher privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SINUMERIK systems are affected:

SINUMERIK 828D V4: All versions prior to V4.95 SP3
SINUMERIK 840D sl V4: All versions prior to V4.95 SP3 in connection with using Create MyConfig (CMC) V4.8 SP1 HF6 and prior
SINUMERIK ONE prior to V6.23: All versions prior to V6.23 in connection with using Create MyConfig (CMC) V6.6 and prior
SINUMERIK ONE prior to V6.15 SP4: All versions prior to V6.15 SP4 in connection with using Create MyConfig (CMC) V6.6 and prior

3.2 Vulnerability Overview

3.2.1 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Affected systems, that have been provisioned with Create MyConfig (CMC), contain a Insertion of Sensitive Information into Log File vulnerability. This could allow a local authenticated user with low privileges to read sensitive information and thus circumvent access restrictions.

CVE-2024-43781 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43781. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

SINUMERIK 828D V4: Update to V4.95 SP3 or later version
SINUMERIK 840D sl V4: Update to V4.95 SP3 or later version
SINUMERIK ONE prior to V6.23: Update to V6.23 or later version
SINUMERIK ONE prior to V6.15 SP4: Update to V6.15 SP4 or later version

Delete the file(s) manually (after using CMC):

on an NCU: /card/user/sinumerik/hmi/log/sltrc/uptrace.out
on an IPC: C:ProgramDataSiemensMotionControlusersinumerikhmilogsltrcuptrace.out

and the corresponding backup of the tracefile, uptrace.out.bak. Replace trace configuration to switch off trace for the future.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-097786 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 12, 2024: Initial Publication
 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC RFID Readers
Vulnerabilities: Hidden Functionality, Exposure of Sensitive Information to an Unauthorized Actor, Improper Check or Handling of Exceptional Conditions, Improper Access Control

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to exploit hidden functionality, cause denial of service, or expose information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following SIMATIC RFID Readers are affected:

SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0): versions prior to V4.2
SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0): versions prior to V4.2
SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0): versions prior to V4.2
SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0): versions prior to V4.2
SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0): versions prior to V4.2
SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0): versions prior to V4.2
SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0): versions prior to V4.2
SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0): versions prior to V4.2
SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0): versions prior to V4.2
SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0): versions prior to V4.2
SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0): versions prior to V4.2
SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0): versions prior to V4.2
SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0): versions prior to V4.2
SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0): versions prior to V4.2
Siemens SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0): versions prior to V4.2
SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0): versions prior to V4.2
SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0): versions prior to V4.2
SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): versions prior to V4.2
SIMATIC RF166C (6GT2002-0EE20): versions prior to V2.2
SIMATIC RF185C (6GT2002-0JE10): versions prior to V2.2
SIMATIC RF186C (6GT2002-0JE20): versions prior to V2.2
SIMATIC RF186CI (6GT2002-0JE50): versions prior to V2.2
SIMATIC RF188C (6GT2002-0JE40): versions prior to V2.2
SIMATIC RF188CI (6GT2002-0JE60): versions prior to V2.2
SIMATIC RF360R (6GT2801-5BA30): versions prior to V2.2
SIMATIC RF1140R (6GT2831-6CB00): versions prior to V1.1
SIMATIC RF1170R (6GT2831-6BB00): versions prior to V1.1

3.2 Vulnerability Overview
3.2.1 HIDDEN FUNCTIONALITY CWE-912
The affected applications contain configuration files which can be modified. An attacker with privilege access can modify these files and enable features that are not released for this device.
CVE-2024-37990 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-37990. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information.
CVE-2024-37991 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37991. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703
The affected devices do not properly handle the error in case of exceeding characters while setting SNMP leading to the restart of the application.
CVE-2024-37992 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-37992. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 IMPROPER ACCESS CONTROL CWE-284
The affected applications do not authenticate the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition.
CVE-2024-37993 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-37993. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.5 HIDDEN FUNCTIONALITY CWE-912
The affected application contains a hidden configuration item to enable debug functionality. This could allow an attacker to gain insight into the internal configuration of the deployment.
CVE-2024-37994 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37994. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.6 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703
The affected application improperly handles an error while a faulty certificate upload leading to crashing of application. This vulnerability could allow an attacker to disclose sensitive information.
CVE-2024-37995 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-37995. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has released new versions for the affected products and recommends to update to the latest versions:

SIMATIC RF1140R (6GT2831-6CB00), SIMATIC RF1170R (6GT2831-6BB00): Update to V1.1 or later version
SIMATIC RF166C (6GT2002-0EE20), SIMATIC RF185C (6GT2002-0JE10), SIMATIC RF186C (6GT2002-0JE20), SIMATIC RF186CI (6GT2002-0JE50), SIMATIC RF188C (6GT2002-0JE40), SIMATIC RF188CI (6GT2002-0JE60): Update to V2.2 or later version
SIMATIC RF360R (6GT2801-5BA30): Update to V2.2 or later version
SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): Update to V4.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-765405 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

September 12, 2024: Initial Publication

  

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC RFID Readers
Vulnerabilities: Hidden Functionality, Exposure of Sensitive Information to an Unauthorized Actor, Improper Check or Handling of Exceptional Conditions, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit hidden functionality, cause denial of service, or expose information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following SIMATIC RFID Readers are affected:

SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0): versions prior to V4.2
SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0): versions prior to V4.2
SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0): versions prior to V4.2
SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0): versions prior to V4.2
SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0): versions prior to V4.2
SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0): versions prior to V4.2
SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0): versions prior to V4.2
SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0): versions prior to V4.2
SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0): versions prior to V4.2
SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0): versions prior to V4.2
SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0): versions prior to V4.2
SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0): versions prior to V4.2
SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0): versions prior to V4.2
SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0): versions prior to V4.2
Siemens SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0): versions prior to V4.2
SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0): versions prior to V4.2
SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0): versions prior to V4.2
SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): versions prior to V4.2
SIMATIC RF166C (6GT2002-0EE20): versions prior to V2.2
SIMATIC RF185C (6GT2002-0JE10): versions prior to V2.2
SIMATIC RF186C (6GT2002-0JE20): versions prior to V2.2
SIMATIC RF186CI (6GT2002-0JE50): versions prior to V2.2
SIMATIC RF188C (6GT2002-0JE40): versions prior to V2.2
SIMATIC RF188CI (6GT2002-0JE60): versions prior to V2.2
SIMATIC RF360R (6GT2801-5BA30): versions prior to V2.2
SIMATIC RF1140R (6GT2831-6CB00): versions prior to V1.1
SIMATIC RF1170R (6GT2831-6BB00): versions prior to V1.1

3.2 Vulnerability Overview

3.2.1 HIDDEN FUNCTIONALITY CWE-912

The affected applications contain configuration files which can be modified. An attacker with privilege access can modify these files and enable features that are not released for this device.

CVE-2024-37990 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37990. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information.

CVE-2024-37991 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-37991. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

The affected devices do not properly handle the error in case of exceeding characters while setting SNMP leading to the restart of the application.

CVE-2024-37992 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37992. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

The affected applications do not authenticate the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition.

CVE-2024-37993 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37993. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.5 HIDDEN FUNCTIONALITY CWE-912

The affected application contains a hidden configuration item to enable debug functionality. This could allow an attacker to gain insight into the internal configuration of the deployment.

CVE-2024-37994 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-37994. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.6 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

The affected application improperly handles an error while a faulty certificate upload leading to crashing of application. This vulnerability could allow an attacker to disclose sensitive information.

CVE-2024-37995 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37995. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released new versions for the affected products and recommends to update to the latest versions:

SIMATIC RF1140R (6GT2831-6CB00), SIMATIC RF1170R (6GT2831-6BB00): Update to V1.1 or later version
SIMATIC RF166C (6GT2002-0EE20), SIMATIC RF185C (6GT2002-0JE10), SIMATIC RF186C (6GT2002-0JE20), SIMATIC RF186CI (6GT2002-0JE50), SIMATIC RF188C (6GT2002-0JE40), SIMATIC RF188CI (6GT2002-0JE60): Update to V2.2 or later version
SIMATIC RF360R (6GT2801-5BA30): Update to V2.2 or later version
SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): Update to V4.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-765405 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 12, 2024: Initial Publication

 

 Read More

 ​Cisco released security updates to address two vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in Cisco Smart Licensing Utility. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. 
CISA encourages users and administrators to review the following advisory and apply the necessary updates: 

Cisco Smart Licensing Utility Vulnerabilities 

Cisco Smart Licensing Utility Vulnerabilities
 Read More

 ​Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following and apply necessary updates:

Microsoft Security Update Guide for September 

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following and apply necessary updates:

Microsoft Security Update Guide for September
 Read More

 ​CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-38226 Microsoft Publisher Security Feature Bypass Vulnerability
CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability
CVE-2024-38014 Microsoft Windows Installer Privilege Escalation Vulnerability
CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-38226 Microsoft Publisher Security Feature Bypass Vulnerability
CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability
CVE-2024-38014 Microsoft Windows Installer Privilege Escalation Vulnerability
CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​Ivanti released security updates to address multiple vulnerabilities in Ivanti Endpoint Manager, Cloud Service Application 4.6, and Workspace Control. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 
CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary guidance and updates: 

Ivanti Endpoint Manager
Ivanti Cloud Service Application 4.6
Ivanti Workspace Control 

Ivanti released security updates to address multiple vulnerabilities in Ivanti Endpoint Manager, Cloud Service Application 4.6, and Workspace Control. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary guidance and updates: 

Ivanti Endpoint Manager
Ivanti Cloud Service Application 4.6
Ivanti Workspace Control
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: SequenceManager
Vulnerabilities: Unquoted Search Path or Element

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SequenceManager, a logix controller-based batch and sequencing solution, are affected:

SequenceManager: Versions prior to 2.0

3.2 Vulnerability Overview
3.2.1 Unquoted Search Path or Element CWE-428
An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.
CVE-2024-4609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-4609. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Rockwell Automation reported these vulnerabilities to CISA.
4. MITIGATIONS
Rockwell Automation recommends users upgrade to version 2.0 or greater.
There is no fix available for these vulnerabilities in the affected software versions prior to v2.0. Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

September 10, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: SequenceManager
Vulnerabilities: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SequenceManager, a logix controller-based batch and sequencing solution, are affected:

SequenceManager: Versions prior to 2.0

3.2 Vulnerability Overview

3.2.1 Unquoted Search Path or Element CWE-428

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVE-2024-4609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4609. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade to version 2.0 or greater.

There is no fix available for these vulnerabilities in the affected software versions prior to v2.0. Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 10, 2024: Initial Publication
 Read More