Siemens RUGGEDCOM CROSSBOW V5.5 Security Advisory: Multiple CVEs (RCE, SQLi, File Upload)

SSA-916916: Security Vulnerability Fix in RUGGEDCOM CROSSBOW V5.5 - Release Date: 2024-05-14 - Last Updated: 2024-05-14 - Current Version: V1.0 - CVSS v3.1 Base Score: 9.8 - CVSS v4.0 Base Score: 9.3 Summary - The RUGGEDCOM CROSSBOW server application in versions prior to V5.5 contains multiple vulnerabilities that could allow attackers to execute arbitrary database queries via SQL injection attacks, or upload arbitrary files to the application’s file system. Most reported vulnerabilities may have a high impact on the availability of affected systems. - Siemens has released a new version of RUGGEDCOM CROSSBOW and recommends updating to the latest version. Affected Products and Solutions - Affected Products and Versions: All versions of RUGGEDCOM CROSSBOW < V5.5 are affected by all CVEs - Remediation: Upgrade to V5.5 or later. More information Workarounds and Mitigations - Product-specific remediations or mitigations can be found in the “AFFECTED PRODUCTS AND SOLUTION” section. Please follow the general security recommendations. General Security Recommendations - To protect network access to devices, Siemens strongly recommends protecting network access using appropriate mechanisms within a protected IT environment. To operate devices, Siemens recommends configuring the environment according to Siemens’ industrial security operational guidelines and following recommendations in the product manual. Additional information on industrial security from Siemens can be found at this link. Product Description - No specific information provided. Vulnerability Description - This section describes all vulnerabilities (CVE-ID) addressed in this security advisory. Where applicable, it also documents the product-specific impact of each vulnerability. - Vulnerability CVE-2024-27939: Affected systems allow any unauthenticated user to upload arbitrary files. Attackers can exploit this vulnerability to execute arbitrary code with system privileges. CVSS v3.1 Base Score: 9.8, CVSS v4.0 Base Score: 9.3. - Vulnerability CVE-2024-27940: Affected systems allow any authenticated user to send arbitrary SQL commands to the SQL server. Attackers can exploit this vulnerability to compromise the entire database. CVSS v3.1 Base Score: 8.8, CVSS v4.0 Base Score: 8.7. - Vulnerability CVE-2024-27941: Affected client systems do not properly sanitize input before sending data to the SQL server. Attackers can exploit this vulnerability to compromise the entire database. CVSS v3.1 Base Score: 8.8, CVSS v4.0 Base Score: 8.7. - Vulnerability CVE-2024-27942: Affected systems allow any unauthenticated client to disconnect any active user from the server. Attackers can exploit this vulnerability to prevent any user from performing operations in the system, leading to service disruption. CVSS v3.1 Base Score: 7.5, CVSS v4.0 Base Score: 8.7. - Vulnerability CVE-2024-27943: Affected systems allow privileged users to upload generic files to the system’s root installation directory. By replacing specific files, attackers can tamper with specific files or even achieve remote code execution. CVSS v3.1 Base Score: 7.2, CVSS v4.0 Base Score: 8.6. - Vulnerability CVE-2024-27944: Affected systems allow privileged users to upload firmware files to the system’s root installation directory. By replacing specific files, attackers can tamper with specific files or even achieve remote code execution. CVSS v3.1 Base Score: 7.2, CVSS v4.0 Base Score: 8.6. - Vulnerability CVE-2024-27945: The bulk import feature allows privileged users to upload files to the system’s root installation directory. By replacing specific files, attackers can tamper with specific files or even achieve remote code execution. CVSS v3.1 Base Score: 7.2, CVSS v4.0 Base Score: 8.6. - Vulnerability CVE-2024-27946: Downloaded files overwrite files with the same name in the affected system’s installation directory. The target file name can be specified, so an attacker with appropriate permissions can overwrite any file. CVSS v3.1 Base Score: 6.5, CVSS v4.0 Base Score: 7.0. - Vulnerability CVE-2024-27947: In certain cases, the affected system can forward log messages to specific clients. Attackers can exploit this vulnerability to forward log messages to specific compromised clients. CVSS v3.1 Base Score: 5.3, CVSS v4.0 Base Score: 6.9. Additional Information - For further inquiries regarding security vulnerabilities in Siemens products and solutions, please contact Siemens ProductCERT: https://www.siemens.com/cert/advisories Historical Data - V1.0 (2024-05-14): Initial release date. Terms of Use - Siemens security advisories are subject to Siemens’ underlying license terms or other applicable agreements previously entered into with Siemens (hereinafter referred to as "License Terms"). In the event of any conflict between the information, software, or terms provided in Siemens security advisories and the "Terms of Use of Siemens’ Global Website," the License Terms shall prevail.

Goal Reached Thanks to every supporter — we hit 100%!

Siemens RUGGEDCOM CROSSBOW V5.5 Security Advisory: Multiple CVEs (RCE, SQLi, File Upload)