Siemens OPC UA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: OPC UA
• Vulnerabilities: Observable Timing Discrepancy, Authentication Bypass by Primary Weakness

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to bypass application authentication and gain access to the data managed by the server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Industrial Edge for Machine Tools (formerly known as “SINUMERIK Edge”): All versions (CVE-2024-42513)
• SIMIT V11: All versions (CVE-2024-42512)
• SIMATIC BRAUMAT: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
• SIMATIC Energy Manager PRO: All versions from V7.5 up to but not including V7.5 Update 2
• SIMATIC Energy Manager PRO: All versions after V7.2 Update 6
• SIMATIC IPC DiagMonitor: All versions (CVE-2024-42513)
• SIMATIC SISTAR: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
• SIMATIC WinCC Unified V18: All versions (CVE-2024-42513)
• SIMATIC WinCC Unified V19: All versions before V19 Update 4 (CVE-2024-42513)
• SIMATIC WinCC V8.0: All versions before V8.0 Update 3 (CVE-2024-42513)

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE TIMING DISCREPANCY CWE-208

Vulnerability in the OPC UA .NET stand

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.