SSA-454789: Deserialization Vulnerability in TeleControl Server Basic V3.1 Key Information from the Webpage: 1. Publication Date: - 2024-11-12 2. Last Update: - 2024-11-12 3. Current Version: - V1.0 4. CVSS v3.1 Base Score: - 10.0 5. CVSS v4.0 Base Score: - 10.0 6. Summary: - TeleControl Server Basic V3.1 contains a deserialization vulnerability that could allow an unauthenticated attacker to execute arbitrary code on the device. 7. Affected Products and Solution: - Affected Product and Versions: TeleControl Server Basic V3.1 - Remediation: Update to V3.1.2.1 or later version. See further recommendations from section Workarounds and Mitigations. 8. Workarounds and Mitigations: - Disable redundancy, if not used. - Restrict access to the affected systems to trusted IP addresses only. 9. General Security Recommendations: - Siemens recommends to protect network access to devices with appropriate mechanisms. - Configure the environment according to Siemens' operational guidelines for Industrial Security. - Follow the recommendations in the product manuals. 10. Product Description: - Describes all vulnerabilities (CVE-IDs) addressed in this security advisory. 11. Vulnerability Description: - The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges. 12. Acknowledgments: - Siemens thanks Tenable for coordinated disclosure. 13. Additional Information: - Contact Siemens ProductCERT for further inquiries on security vulnerabilities in Siemens products and solutions. 14. History Data: - V1.0 (2024-11-12): Publication Date 15. Terms of Use: - The use of Siemens Security Advisories is subject to the terms and conditions listed on: