SSA-857368

Siemens Energy Security Advisory by Siemens ProductCERT

SSA-857368: Multiple Vulnerabilities in Omnivise T3000

Publication Date:	2024-08-02
Last Update:	2024-08-02
Current Version:	V1.0
CVSS v3.1 Base Score:	8.2
CVSS v4.0 Base Score:	8.7

SUMMARY

Omnivise T3000 contains multiple vulnerabilities that could allow an attacker to escalate privileges.

Siemens Energy has released patches for several affected products and recommends to apply the patches. Siemens Energy is preparing further fixes for versions still under maintenance and recommends countermeasures for products where fixes are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
Omnivise T3000	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Application Server	Open for details See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Application Server All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.20 and System software patch 22.173.52 as well as Application software patch 09.0.19.06 See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Application Server All versions affected by multiple CVEs CVE-2024-38877 CVE-2024-38878 CVE-2024-38879	Install System software patch 22.173.52 and Application software patch 09.0.19.06 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Domain Controller	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Domain Controller All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.20 and System software patch 22.173.52 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Domain Controller All versions affected by CVE-2024-38877	Install System software patch 22.173.52 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Network Intrusion Detection System (NIDS) All versions affected by CVE-2024-38877	Apply mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Product Data Management (PDM)	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Product Data Management (PDM) All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.20 and System software patch 22.173.52 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Product Data Management (PDM) All versions affected by CVE-2024-38877	Install System software patch 22.173.52 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Security Server All versions affected by CVE-2024-38877	Apply mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Terminal Server	Open for details See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Terminal Server All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.20 and System software patch 22.173.52 See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Terminal Server All versions affected by CVE-2024-38877	Install System software patch 22.173.52 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See download link in the latest Omnivise T3000 Technical News See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Thin Client	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Thin Client All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.52 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Thin Client All versions affected by CVE-2024-38877	Install System software patch 22.173.52 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Whitelisting Server	Open for details See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Whitelisting Server All versions >= R9.2 affected by CVE-2024-38876	Install System software patch 22.173.20 and System software patch 22.173.52 See further recommendations from section Workarounds and Mitigations
Omnivise T3000 Whitelisting Server All versions affected by CVE-2024-38877	Install System software patch 22.173.52 and apply additional mitigations from Omnivise T3000 Technical News 2024-089 See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens Energy has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

CVE-2024-38877: If the passwords are suspected to be compromised, change the Passwords for all computers and service accounts. In addition follow the instructions from Omnivise T3000 Technical News 2024-089 which is available through T3000 costumer service.

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens Energy strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

Omnivise T3000 is a distributed control system mostly used in fossil and large scale renewable power plants.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-38876

The affected application regularly executes user modifiable code as a privileged user. This could allow a local authenticated attacker to execute arbitrary code with elevated privileges.

CVSS v3.1 Base Score	7.8
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C
CVSS v4.0 Base Score	8.5
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-552: Files or Directories Accessible to External Parties

Vulnerability CVE-2024-38877

The affected devices stores initial system credentials without sufficient protection. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss allowing the attacker to laterally move within the affected network.

CVSS v3.1 Base Score	8.2
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS v4.0 Base Score	8.3
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE	CWE-312: Cleartext Storage of Sensitive Information

Vulnerability CVE-2024-38878

Affected devices allow authenticated users to export diagnostics data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download arbitrary files from the file system.

CVSS v3.1 Base Score	7.2
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vulnerability CVE-2024-38879

The affected system exposes the port of an internal application on the public network interface allowing an attacker to circumvent authentication and directly access the exposed application.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-20: Improper Input Validation

ACKNOWLEDGMENTS

Siemens Energy thanks the following parties for their efforts:

Steffen Robertz and Andreas Kolbeck from SEC Consult Vulnerability Lab for coordinated disclosure
BASF Offensive Security and Automation Security Teams for coordinated disclosure of CVE-2024-38877

ADDITIONAL INFORMATION

Siemens Energy also published additional information regarding these vulnerabilities in Omnivise T3000 Technical News 2024-089 which is available through T3000 costumer service.

For further inquiries on security vulnerabilities in Siemens Energy products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2024-08-02):

Publication Date

Siemens Energy Security Advisories are subject to the terms and conditions contained in Siemens Energy’ underlying license terms or other applicable agreements previously agreed to with Siemens Energy (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Energy Security Advisory, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.