-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-665034: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM
APE1808 devices

Publication Date:        2024-02-13
Last Update:             2024-05-14
Current Version:         1.1
CVSS v3.1 Base Score:    5.3


SUMMARY
=======

Nozomi Networks has published information on vulnerabilities in

Nozomi Guardian/CMC before 23.3.0. This advisory lists the related
Siemens Industrial products affected by these vulnerabilities. Siemens
has released a new version for RUGGEDCOM APE1808 and recommends to
update to the latest version. Customers are advised to consult and
implement the workarounds provided in Nozomi Network's upstream
security notifications.


AFFECTED PRODUCTS AND SOLUTION
==============================

* RUGGEDCOM APE1808
  - Affected versions:
       All versions with Nozomi Guardian / CMC before 23.3.0
  - Remediation:
       Upgrade Nozomi Guardian / CMC to V23.4.1. Contact customer support to receive
       patch and update information.

       See further recommendations from section "Workarounds and Mitigations"


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

  * Use internal firewall features to limit access to the web management interface
Product-specific remediations or mitigations can be found in the section
"Affected Products and Solution".

Please follow the "General Security Recommendations".

GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends
to configure the environment according to Siemens' operational
guidelines for Industrial Security (Download:

https://www.siemens.com/cert/operational-guidelines-industrial-
security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity


PRODUCT DESCRIPTION
===================

The RUGGEDCOM APE1808 is a powerful utility-grade application hosting
platform that lets you deploy a range of commercially available
applications for edge computing and cybersecurity in harsh, industrial
environments.

VULNERABILITY DESCRIPTION
=========================

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory.
Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.


* Vulnerability CVE-2023-5253

  A missing authentication check in the WebSocket channel used for the
  Check Point IoT integration in Nozomi Networks Guardian and CMC, may
  allow an unauthenticated attacker to obtain assets data without
  authentication.

    CVSS v3.1 Base Score: 5.3
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
    CWE:                  CWE-200: Exposure of Sensitive Information to an Unauthorized
                          Actor


ADDITIONAL INFORMATION
======================

Nozomi provides a public RSS feed for their security alerts to which
customers can also subscribe [1].

[1] https://security.nozominetworks.com/alerts/

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2024-02-13): Publication Date
V1.1 (2024-05-14): Added specific product version to remediations

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2024
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEch+g+vCfo0skv7l6x5aGHHWng/oFAmZCqYAACgkQx5aGHHWn
g/qiGw//QFZMgDisiD4WkGlhum3VMhsYYGYbz/RFGnsx0N87Ygfia2M3MzmQDOBc
yZYfrATRVc167o5lsGF4Aoquc0CakmrMxryeuThisavLEiYSf/UjjW6WWvXUu+N5
XtYfiuxRh4H0PY6xW2W+Upt1+0kn0fsfLexBksdJXrHKvIJc7v50D1kXzKYyQGXL
iIUqNEPWYpLQt7cPyoTYxxKJVKg0riACo/2uKAo9u2Ld/0Qsa3Ynb7mgrbcQrbfg
ZnLQi+jjP+Lj6GO2B5KoMPd0a6TOGi+E/KnujDtDDmZR62Dj21+11cxhbSszmwaU
CYJeG3sRNEAF6Hi7HUXuogJPF+4p9NQ4ax9rmuR1Q04GSWOfIZw3iTbNtieeW7Xq
dSDOShFtrKvaZtHI8eiceWJ+GedzriXNP5LKy0itUG/LXUQ8Ex+yc8aX0fI5VYB1
0VWptWMGJymPIpWq+uj+TkG/EjapzTFqJlWCV1sd8MHDsFqMmV0mImsoIlZrueFR
AmEPuQcvdR/bj7Ia38x0Pw5DaE/aY1aBGSC00szJrQAZ1ABLwwqR3QWa7EZTDuZp
Gn05B3YwLShjsXF6eQJ8yejUuQ8ZqxA9UmR/hv01NJbTTyXWAfe51228DHcRowJk
6L8JDw6dARlOvYI3zykSi7BJ2nBFdY2O43dxobnkeid6qUBqINg=
=G4Zo
-----END PGP SIGNATURE-----