As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 7.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC RFID Readers
- Vulnerabilities: Hidden Functionality, Exposure of Sensitive Information to an Unauthorized Actor, Improper Check or Handling of Exceptional Conditions, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to exploit hidden functionality, cause denial of service, or expose information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following SIMATIC RFID Readers are affected:
- SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0): versions prior to V4.2
- SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0): versions prior to V4.2
- SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0): versions prior to V4.2
- SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0): versions prior to V4.2
- SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0): versions prior to V4.2
- SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0): versions prior to V4.2
- SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0): versions prior to V4.2
- SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0): versions prior to V4.2
- SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0): versions prior to V4.2
- SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0): versions prior to V4.2
- SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0): versions prior to V4.2
- SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0): versions prior to V4.2
- SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0): versions prior to V4.2
- SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0): versions prior to V4.2
- Siemens SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0): versions prior to V4.2
- SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0): versions prior to V4.2
- SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0): versions prior to V4.2
- SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): versions prior to V4.2
- SIMATIC RF166C (6GT2002-0EE20): versions prior to V2.2
- SIMATIC RF185C (6GT2002-0JE10): versions prior to V2.2
- SIMATIC RF186C (6GT2002-0JE20): versions prior to V2.2
- SIMATIC RF186CI (6GT2002-0JE50): versions prior to V2.2
- SIMATIC RF188C (6GT2002-0JE40): versions prior to V2.2
- SIMATIC RF188CI (6GT2002-0JE60): versions prior to V2.2
- SIMATIC RF360R (6GT2801-5BA30): versions prior to V2.2
- SIMATIC RF1140R (6GT2831-6CB00): versions prior to V1.1
- SIMATIC RF1170R (6GT2831-6BB00): versions prior to V1.1
3.2 Vulnerability Overview
3.2.1 HIDDEN FUNCTIONALITY CWE-912
The affected applications contain configuration files which can be modified. An attacker with privilege access can modify these files and enable features that are not released for this device.
CVE-2024-37990 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-37990. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information.
CVE-2024-37991 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37991. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703
The affected devices do not properly handle the error in case of exceeding characters while setting SNMP leading to the restart of the application.
CVE-2024-37992 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-37992. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 IMPROPER ACCESS CONTROL CWE-284
The affected applications do not authenticate the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition.
CVE-2024-37993 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-37993. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.5 HIDDEN FUNCTIONALITY CWE-912
The affected application contains a hidden configuration item to enable debug functionality. This could allow an attacker to gain insight into the internal configuration of the deployment.
CVE-2024-37994 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37994. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.6 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703
The affected application improperly handles an error while a faulty certificate upload leading to crashing of application. This vulnerability could allow an attacker to disclose sensitive information.
CVE-2024-37995 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-37995. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has released new versions for the affected products and recommends to update to the latest versions:
- SIMATIC RF1140R (6GT2831-6CB00), SIMATIC RF1170R (6GT2831-6BB00): Update to V1.1 or later version
- SIMATIC RF166C (6GT2002-0EE20), SIMATIC RF185C (6GT2002-0JE10), SIMATIC RF186C (6GT2002-0JE20), SIMATIC RF186CI (6GT2002-0JE50), SIMATIC RF188C (6GT2002-0JE40), SIMATIC RF188CI (6GT2002-0JE60): Update to V2.2 or later version
- SIMATIC RF360R (6GT2801-5BA30): Update to V2.2 or later version
- SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): Update to V4.2 or later version
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-765405 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- September 12, 2024: Initial Publication
This alert has come from: https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-07