As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable from adjacent network/low attack complexity
- Vendor: Siemens
- Equipment: INTRALOG WMS
- Vulnerabilities: Cleartext Transmission of Sensitive Information, Heap-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation could allow an unauthenticated attacker located in the INTRALOG WMS network to decrypt and modify client-server communication, or potentially execute arbitrary code on the application servers.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of Siemens INTRALOG WMS, are affected:
- Siemens INTRALOG WMS: Versions prior to V4
3.2 Vulnerability Overview
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
CVE-2024-0056 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories