Siemens SINEMA Remote Connect Client Vulnerability Advisory (CVE-2024-32006, CVE-2024-2004, etc.)

From this webpage screenshot, the following key vulnerability information can be obtained: 1. Vulnerability ID: SSA-417159 2. Affected Product: SINEMA Remote Connect Client 3. Affected Version Range: All versions < V3.2 SP2 4. Vulnerability Description: - CVE-2024-32006: Using the free OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavior, memory buffer leakage, or remote execution. - CVE-2024-2004: When the protocol selection parameter option disables all protocols, it may cause incorrect logic, leading to protocol deletion. - CVE-2024-2379: libcurl, under certain conditions, skips certificate validation. If instructed to use unknown/bad encryption or curves, an error path skips validation and returns OK, thereby ignoring any certificate issues. - CVE-2024-2398: When the application instructs libcurl to allow HTTP/2 server push, if the number of received headers exceeds the allowed maximum (1000), libcurl aborts the server push. Upon abort, libcurl incorrectly fails to release all previously allocated headers, resulting in memory leakage. - CVE-2024-2466: libcurl does not check the server certificate for TLS connections. When using mbedTLS, libcurl incorrectly avoids using the set hostname feature, thus completely skipping certificate verification. - CVE-2024-42344: The affected application inserts sensitive information into log files that are readable by all legitimate users. This may allow authenticated attackers to compromise the confidentiality of other users' configuration data. 5. Remediation Recommendation: Upgrade to V3.2 SP2 or later. 6. Security Recommendation: Use smart card/user certificate login instead of TOTP (time-based one-time password) based two-factor authentication mechanisms. 7. Product Description: SINEMA Remote Connect Client is software designed for remote connectivity. 8. Impact of Vulnerabilities: These vulnerabilities may result in undefined behavior, memory buffer leakage, remote code execution, certificate validation errors, and other issues. This information helps users understand the severity, scope of impact, and how to remediate and prevent these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Siemens SINEMA Remote Connect Client Vulnerability Advisory (CVE-2024-32006, CVE-2024-2004, etc.)