🎉 Celebrate with us on December 11 for a special anniversary episode of runZero Hour! Register Now

On This Page:

  1. Latest Vulnerabilities: Multiple disclosed in various Siemens product lines
  2. Multiple vulnerabilities in various Siemens product lines (September 2024)
  3. SCALANCE and RUGGEDCOM products (August 2024)
  4. CVE-2024-35292 - SIMATIC S7-200 SMART Devices (July 2024)
  5. SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

How to find Siemens devices on your network

Blain Smith
Rob King
Tom Sellers
runZero Team
|
Updated

Latest Vulnerabilities: Multiple disclosed in various Siemens product lines #

Siemens disclosed multiple vulnerabilities in various product lines:

  • SSA-354112 - multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6
  • SSA-654798 - unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
  • SSA-454789 - deserialization of untrusted data in TeleControl Server (CVSS score 10.0)

What is the impact? #

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available? #

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens' website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems #

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)

Multiple vulnerabilities in various Siemens product lines (September 2024) #

Siemens disclosed 35 vulnerabilities in a variety of Siemens products, including their LOGO!, SIMATIC, SINEMA, and other product lines. These vulnerabilities have CVSS scores that range from 4.3 (moderate) to 10 (extremely critical).

The most critical vulnerabilities disclosed include:

  • SSA-955858 - multiple vulnerabilities in LOGO! 8 BM devices (CVSS score 9.8)
  • SSA-832273 - multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
  • SSA-721642 - multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
  • SSA-673996 - multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
  • SSA-629254 - remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
  • SSA-455250 - multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
  • SSA-039007 - heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.

For most of the disclosed vulnerabilities, Siemens has released updates or patches. However, some vulnerabilities mentioned above, including some critical vulnerabilities, do not have patches released and it is unclear when such updates would be available. Siemens recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

SCALANCE and RUGGEDCOM products (August 2024) #

Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

  • CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
  • CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
  • CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
  • CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.

How to find potentially vulnerable systems #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 - SIMATIC S7-200 SMART Devices (July 2024) #

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.

Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition.

The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.

How to find potentially vulnerable systems #

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024) #

In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible.

Siemens released updates via a variety of channels. See Siemens ProductCERT for details.

How to find potentially vulnerable systems #

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

Written by Blain Smith

Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

More about Blain Smith

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.
Read More
Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Read More
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Read More
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Read More

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
© Copyright 2024 runZero, Inc. All Rights Reserved