Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6822
ICS Advisory | ICSA-23-320-09 Siemens COMOS
17 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens COMOS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-46601 CVE-2023-43505 CVE-2023-43504
CVE-2023-43503 CVE-2023-22670 CVE-2023-22669
CVE-2023-2932 CVE-2023-2931 CVE-2023-1530
CVE-2023-0933 CVE-2022-28809 CVE-2022-28808
CVE-2022-28807 CVE-2022-23095 CVE-2020-35460
CVE-2020-25020
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-09
Comment: CVSS (Max): 9.8 CVE-2020-25020 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-320-09)
Siemens COMOS
Release Date
November 16, 2023
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION : Exploitable remotely/Low attack complexity
o Vendor : Siemens
o Equipment : COMOS
o Vulnerabilities : Improper Restriction of XML External Entity Reference,
Path Traversal, Out-of-bounds Write, Out-of-bounds Read, Integer Overflow
or Wraparound, Use After Free, Heap-based Buffer Overflow, Cleartext
Transmission of Sensitive Information, Classic Buffer Overflow, Improper
Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code, cause a denial-of-service condition, data infiltration,
or perform access control violations.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens are affected:
o COMOS: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and
PhoenixReader components.
CVE-2020-25020 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory
traversal in the zip stream handler flow, leading to the writing of files to
arbitrary locations.
CVE-2020-35460 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.3 OUT-OF-BOUNDS WRITE CWE-787
Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of
JPG files. Unchecked input data from a crafted JPG file leads to memory
corruption. An attacker can leverage this vulnerability to execute code in the
context of the current process.
CVE-2022-23095 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.4 OUT-OF-BOUNDS READ CWE-125
Open Design Alliance Drawings SDK (all versions prior to 2023.2) is vulnerable
to an out-of-bounds read when rendering DWG files after they are opened in the
recovery mode. This could allow an attacker to execute code in the context of
the current process.
CVE-2022-28807 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.5 OUT-OF-BOUNDS READ CWE-125
Open Design Alliance Drawings SDK (all versions prior to 2023.3) is vulnerable
to an out-of-bounds read when reading DWG files in a recovery mode. This could
allow an attacker to execute code in the context of the current process.
CVE-2022-28808 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.6 OUT-OF-BOUNDS READ CWE-125
Open Design Alliance Drawings SDK (all versions prior to 2023.3) is vulnerable
to an out-of-bounds read when reading a DWG file with invalid vertex number in
a recovery mode. This could allow an attacker to execute code in the context of
the current process.
CVE-2022-28809 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.7 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Integer overflow in PDFium library used in COMOS allowed a remote attacker to
potentially exploit heap corruption via a crafted PDF file.
CVE-2023-0933 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.8 USE AFTER FREE CWE-416
Use after free in PDFium library used in COMOS allowed a remote attacker to
potentially exploit heap corruption via a crafted HTML page.
CVE-2023-1530 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.9 USE AFTER FREE CWE-416
Use after free in PDFium library used in COMOS allowed a remote attacker to
potentially exploit heap corruption via a crafted PDF file.
CVE-2023-2931 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.10 USE AFTER FREE CWE-416
Use after free in PDFium library used in COMOS allowed a remote attacker to
potentially exploit heap corruption via a crafted PDF file.
CVE-2023-2932 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.11 HEAP-BASED BUFFER OVERFLOW CWE-122
Open Design Alliance Drawings SDK used in affected application is vulnerable to
heap-based buffer overflow while parsing specially crafted DWG files. An
attacker could leverage this vulnerability to execute code in the context of
the current process. (ZDI-CAN-19104)
CVE-2023-22669 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.12 HEAP-BASED BUFFER OVERFLOW CWE-122
Open Design Alliance Drawings SDK used in affected application is vulnerable to
heap-based buffer overflow while parsing specially crafted DXF files. An
attacker could leverage this vulnerability to execute code in the context of
the current process. (ZDI-CAN-19382)
CVE-2023-22670 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.13 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Caching system in the affected application leaks sensitive information such as
user and project information in cleartext via UDP.
CVE-2023-43503 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:L/UI:N
/S:U/C:L/I:N/A:N ).
3.2.14 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
Ptmcast executable used for testing cache validation service in affected
application is vulnerable to Structured Exception Handler (SEH) based buffer
overflow. This could allow an attacker to execute arbitrary code on the target
system or cause denial of service condition.
CVE-2023-43504 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:H/I:H/A:H ).
3.2.15 IMPROPER ACCESS CONTROL CWE-284
The affected application lacks proper access controls in SMB shares. This could
allow an attacker to access files that the user should not have access to.
CVE-2023-43505 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:C/C:H/I:H/A:N ).
3.2.16 IMPROPER ACCESS CONTROL CWE-284
The affected application lacks proper access controls in making the SQLServer
connection. This could allow an attacker to query the database directly to
access information that the user should not have access to.
CVE-2023-46601 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:C/C:H/I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends updating to the latest version the COMOS product:
o Update to V10.4.4 or later version.
o For CVE-2023-43503, update the COMOS database to version 25. (See "Data
maintenance: Modifying the version" in the user manual. Warning: After the
update, the database cannot be used by older COMOS versions).
o For CVE-2023-43504, delete ptmcast.exe from bin folder of COMOS
installation directory. Installations from COMOS V10.4.4 or later version
does not contain ptmcast.exe.
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o For CVE-2023-43505 and CVE-2023-46601, use an application server like
Citrix which builds an additional layer of access control around COMOS. The
file share with the documents folder and the database should be only
accessible by the application server. You can find further recommendations
in the COMOS manual "Security relevant configuration" in COMOS
documentation .
o Ensure all files imported into COMOS originate from a trusted source and
transmitted are over secure channels.
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For more information see the associated Siemens security advisory SSA-137900 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities, such as:
o Minimize network exposure for all control system devices and/or systems,
ensuring they are not accessible from the internet .
o Locate control system networks and remote devices behind firewalls and
isolating them from business networks.
o When remote access is required, use more secure methods, such as Virtual
Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be
updated to the most recent version available, and are only as secure as the
connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open attachments in unsolicited email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o November 16, 2023: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVamsskNZI30y1K9AQilpg//W6g/tDjHO9oxZUI0cdSVpQGepGqH2XFh
jQoqm4mwbdjHC3co3UzsVYBxGCYaue+Uh7Sv6xUYMpu/N9UXFwTLwP6nH/ApsxKG
dFjKG5LdZDY46M7uS9F8bt89HNAKYuMGc7LBdML0Df/wobfYYFvFoLp+TFG0UPM8
OxTscxhu6e7Q4RJME5J9CqFz4SMejh7ALjGd20OqqGRJ7Y0DZsWeAYLBMJQh2NZX
3GVSIQeWIbBQW3hsFTrrd9k4GP4R8T/ulzL5QuZmwehv1o9HVmfXlUKS3Sv8qK6H
iVAAOPYJJuNgABkYtmdF6tUf0QD5VSMheD4W2qB95QqHoAHqctg96GF4qXcIKjwb
yNrkb5aPC8DS5hV42qnrDZResJZbt6KD9u6hodM8scYuHQ+uL4OS97jHKsIC4ZrQ
XuMxbSvU5c9D/tbl9NqMPxm4Q4wBJOlg0TF/xt4m4M612Q6Yix/gL8q8nvVmpgS7
AZ8gw0vhB3x6108DEKL4GFrfkZFUGmSz9cxxnb3QefG6pokIRRlsR1K4RYxkrZfD
8hsdgeCE5eV2d2uMRCF0zL/UgM6w6ZUJYOEopKe+h1WgeaqDn9olQApWePfEKO+0
FMjJ/ihxUngPZX3L8838D4so5pd1UAp2tnutojEv62volccw8cCtO1xwAz6mrTle
xtX0wqkOjLI=
=irjW
-----END PGP SIGNATURE-----