Full Report
Vulnerabilities have been identified in SPPA-T3000 Application Server and MS3000 Migration Server. Some of the faults are critical and could allow attackers to execute arbitrary code on the server
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Siemens SPPA-T3000 Application and Migration Servers
## CVE Details
*Note: This specific advisory (SSA-451445) addressed 19 separate vulnerabilities. The most critical are highlighted below.*
- **CVE ID:** CVE-2019-18281, CVE-2019-18282 (Primary Critical Flaws)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data), CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Siemens SPPA-T3000 Application Server and MS3000 Migration Server.
- **Versions:** All versions prior to Service Pack 3000 (SP3) R3.1.
- **Configurations:** Systems where the Application Server and MS3000 server are accessible via the network (typically Port 1099/TCP and Port 10443/TCP).
## Vulnerability Description
The primary critical flaws involve the improper handling of Java Deserialization and missing authentication controls. Specifically, the Application Server and MS3000 Migration Server use RMI (Remote Method Invocation) and other interfaces that permit unauthenticated users to send specially crafted objects. These objects, when processed by the server, allow for the execution of arbitrary code with high privileges. Other vulnerabilities in the set include path traversal and insecure storage of credentials.
## Exploitation
- **Status:** PoC details have been discussed in security research communities; however, active "in-the-wild" exploitation was not confirmed at the time of the initial disclosure.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to system data)
- **Integrity:** Total (Complete control over application logic)
- **Availability:** Total (Ability to shut down or crash the server)
## Remediation
### Patches
- **Application Server:** Upgrade to SPPA-T3000 SP3 R3.1 or later.
- **MS3000:** Apply the specific security patches issued by Siemens via their customer support portal.
### Workarounds
- **Network Segmentation:** Isolate the SPPA-T3000 Application Server and MS3000 from the general corporate network.
- **Firewall Rules:** Block external access to Port 1099/TCP and Port 10443/TCP.
- **External DMZ:** Ensure that no components of the SPPA-T3000 suite are exposed directly to the internet.
## Detection
- **Indicators of Compromise:** Unusual Java execution processes originating from the RMI registry service.
- **Detection methods and tools:** Monitoring for unauthorized traffic targeting port 1099. Use of ICS-aware IDS (Intrusion Detection Systems) to flag unexpected Java object serialization over the wire.
## References
- **Vendor Advisories:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-451445[.]pdf
- **Kaspersky Analysis:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/12/18/multiple-vulnerabilities-in-sppa-t3000-components/
- **NIST NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-18281