SSA-857368

Siemens Energy Security Advisory by Siemens ProductCERT

SSA-857368: Multiple Vulnerabilities in Omnivise T3000

Publication Date:	2024-08-02
Last Update:	2024-08-13
Current Version:	V1.1
CVSS v3.1 Base Score:	8.2
CVSS v4.0 Base Score:	8.7

SUMMARY

Omnivise T3000 contains multiple vulnerabilities that could allow an attacker to escalate privileges.

Siemens Energy has released patches for several affected products and recommends to apply the patches. Siemens Energy is preparing further fixes for versions still under maintenance and recommends countermeasures for products where fixes are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
Omnivise T3000	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 R9.2	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Application Server R9.2 All versions affected by all CVEs CVE-2024-38876 CVE-2024-38877 CVE-2024-38878 CVE-2024-38879	Install System Software Patch 22.173.20 and System Software Patch 22.173.52 as well as Application Software Patch 09.0.19.06; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Domain Controller R9.2 All versions affected by multiple CVEs CVE-2024-38876 CVE-2024-38877	Install System Software Patch 22.173.20 and System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Network Intrusion Detection System (NIDS) R9.2 All versions affected by CVE-2024-38877	Apply mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Product Data Management (PDM) R9.2 All versions affected by multiple CVEs CVE-2024-38876 CVE-2024-38877	Install System Software Patch 22.173.20 and System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Security Server R9.2 All versions affected by CVE-2024-38877	Install System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Terminal Server R9.2 All versions affected by multiple CVEs CVE-2024-38876 CVE-2024-38877	Install System Software Patch 22.173.20 and System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Thin Client R9.2 All versions affected by multiple CVEs CVE-2024-38876 CVE-2024-38877	Install System Software Patch 22.173.20 and System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Whitelisting Server R9.2 All versions affected by multiple CVEs CVE-2024-38876 CVE-2024-38877	Install System Software Patch 22.173.20 and System Software Patch 22.173.52; apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 R8.2 SP3 All versions affected by all CVEs CVE-2024-38876 CVE-2024-38877 CVE-2024-38878 CVE-2024-38879	Currently no fix is planned See recommendations from section Workarounds and Mitigations
Omnivise T3000 R8.2 SP4 All versions affected by all CVEs CVE-2024-38876 CVE-2024-38877 CVE-2024-38878 CVE-2024-38879	Currently no fix is available See recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens Energy has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

CVE-2024-38877: If the passwords are suspected to be compromised, change the Passwords for all computers and service accounts. In addition follow the instructions from Omnivise T3000 Technical News 2024-089 which is available through T3000 customer service and applies to releases (8.2 SP3/SP4 and 9.2).

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens Energy strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

Omnivise T3000 is a distributed control system mostly used in fossil and large scale renewable power plants.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-38876

The affected application regularly executes user modifiable code as a privileged user. This could allow a local authenticated attacker to execute arbitrary code with elevated privileges.

CVSS v3.1 Base Score	7.8
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C
CVSS v4.0 Base Score	8.5
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-552: Files or Directories Accessible to External Parties

Vulnerability CVE-2024-38877

The affected devices stores initial system credentials without sufficient protection. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss allowing the attacker to laterally move within the affected network.

CVSS v3.1 Base Score	8.2
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS v4.0 Base Score	8.3
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE	CWE-312: Cleartext Storage of Sensitive Information

Vulnerability CVE-2024-38878

Affected devices allow authenticated users to export diagnostics data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download arbitrary files from the file system.

CVSS v3.1 Base Score	7.2
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vulnerability CVE-2024-38879

The affected system exposes the port of an internal application on the public network interface allowing an attacker to circumvent authentication and directly access the exposed application.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-20: Improper Input Validation

ACKNOWLEDGMENTS

Siemens Energy thanks the following parties for their efforts:

Steffen Robertz and Andreas Kolbeck from SEC Consult Vulnerability Lab for coordinated disclosure
BASF Offensive Security and Automation Security Teams for coordinated disclosure of CVE-2024-38877

ADDITIONAL INFORMATION

Additional information is available via Siemens Energy T3000 customer service:

Omnivise T3000 Technical News 2024-089
SE Controls Security Announcement 2024-01

Note regarding Omnivise T3000 Security Server R9.2: The System Software Patch 22.173.20 is not needed for installation on the Security Server itself, but must be available for deployment to the systems that are affected by CVE-2024-38876.

For further inquiries on security vulnerabilities in Siemens Energy products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2024-08-02):	Publication Date
V1.1 (2024-08-13):	Added additional affected Omnivise T3000 Releases R8.2 SP3 and SP4, corrected inconsistent information, added reference to SE Controls Security Announcement 2024-01

Siemens Energy Security Advisories are subject to the terms and conditions contained in Siemens Energy’ underlying license terms or other applicable agreements previously agreed to with Siemens Energy (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Energy Security Advisory, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.