Publication Date: |
|
Last Update: |
|
Current Version: | V1.1 |
CVSS v3.1 Base Score: | 7.1 |
Affected Product and Versions | Remediation |
---|---|
All versions with Nozomi Guardian / CMC before V22.6.2 |
Contact customer support to receive patch and update information.
|
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
Product-specific remediations or mitigations can be found in the section
Affected Products and Solution.
Please follow the General Security Recommendations.
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.
A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application.
Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.
CVSS v3.1 Base Score | 7.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:P/RL:O/RC:C |
CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
An authenticated attacker with administrative access to the appliance can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will later be executed by another legitimate user viewing the details of such a rule.
An attacker may be able to perform unauthorized actions on behalf of legitimate users. JavaScript injection was possible in the content for Yara rules, while limited HTML injection has been proven for packet and STYX rules. The injected code will be executed in the context of the authenticated victim's session.
CVSS v3.1 Base Score | 6.4 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C |
CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alerts_count component, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application.
Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.
CVSS v3.1 Base Score | 7.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:P/RL:O/RC:C |
CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error.
The whole application in rendered unusable until a console intervention.
CVSS v3.1 Base Score | 4.9 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
CWE | CWE-20: Improper Input Validation |
A partial DoS vulnerability has been detected in the Reports section, exploitable by a malicious authenticated user forcing a report to be saved with its name set as null.
The reports section will be partially unavailable for all later attempts to use it, with the report list seemingly stuck on loading.
CVSS v3.1 Base Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C |
CWE | CWE-20: Improper Input Validation |
An access control vulnerability was found, due to the restrictions that are applied on actual assertions not being enforced in their debug functionality.
An authenticated user with reduced visibility can obtain unauthorized information via the debug functionality, obtaining data that would normally be not accessible in the Query and Assertions functions.
CVSS v3.1 Base Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
CWE | CWE-863: Incorrect Authorization |
CVSS v3.1 Base Score | 5.0 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
CWE | CWE-384: Session Fixation |
V1.0 (2023-10-10): | Publication date |
V1.1 (2023-11-14): | Added solution for affected products |