As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Industrial Edge Management
- Vulnerability: Authorization Bypass Through User-Controlled Key
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
- Industrial Edge Management Pro: Versions prior to V1.9.5
- Industrial Edge Management Virtual: Versions prior to V2.3.1-1
3.2 Vulnerability Overview
3.2.1 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system.
CVE-2024-45032 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories