SSA-333468

Siemens Security Advisory by Siemens ProductCERT

SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices

Publication Date:	2024-10-23
Last Update:	2024-10-23
Current Version:	V1.0
CVSS v3.1 Base Score:	10.0
CVSS v4.0 Base Score:	10.0

SUMMARY

InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

Siemens has released new versions for the affected products and recommends to update to the latest versions.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
InterMesh 7177 Hybrid 2.0 Subscriber All versions < V8.2.12 affected by all CVEs CVE-2024-47901 CVE-2024-47902 CVE-2024-47903 CVE-2024-47904	Update to V8.2.12 or later version https://aes-corp.com/product/7177h-88-ulp-intellinet-2-0-hybrid-subscriber/ See further recommendations from section Workarounds and Mitigations
InterMesh 7707 Fire Subscriber All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration) affected by all CVEs CVE-2024-47901 CVE-2024-47902 CVE-2024-47903 CVE-2024-47904	Update to V7.2.12 or later version Disable the IP interface https://aes-corp.com/product/7707p-88-ulp-m-intellinet-2-0-fire-subscriber/ See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Restrict access to the InterMesh network to trusted systems and persons only

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

InterMesh is a wireless alarm reporting system that uses advanced mesh radio network technology for fast and reliable alarm signal delivery.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-47901

The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

CVSS v3.1 Base Score	10.0
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score	10.0
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Vulnerability CVE-2024-47902

The web server of affected devices does not authenticate GET requests that execute specific commands (such as ping) on operating system level.

CVSS v3.1 Base Score	7.2
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CWE	CWE-306: Missing Authentication for Critical Function

Vulnerability CVE-2024-47903

The web server of affected devices allows to write arbitrary files to the web server's DocumentRoot directory.

CVSS v3.1 Base Score	5.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
CWE	CWE-250: Execution with Unnecessary Privileges

Vulnerability CVE-2024-47904

The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges.

CVSS v3.1 Base Score	7.8
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	8.5
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-266: Incorrect Privilege Assignment

ACKNOWLEDGMENTS

Siemens thanks the following parties for their efforts:

AES Corporation for coordination efforts
Jean Pereira from CYTRES for reporting the vulnerabilities

ADDITIONAL INFORMATION

Siemens InterMesh Subscriber Devices are brand-labeled devices from AES Corporation (https://aes-corp.com/). Fore more information regarding affected products from AES see their corresponding release notes in the AES knowledge base at: https://aes-corp.my.salesforce.com/sserv/login.jsp?orgId=00D30000000YZKG.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2024-10-23):

Publication Date

Siemens Security Advisories are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.