Full Report
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM APE1808 Devices Vulnerabilities: Out-of-bounds Read, Insertion of Sensitive Information Into Sent Data, Allocation of Resources Without Limits or Throttling, Integer Overflow or Wraparound, Path Traversal, Out-of-bounds Write, HTTP Request/Response Splitting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of service condition, perform a machine-in-the middle attack (MITM), escalate privileges, execute unauthorized code, and access unauthorized systems and information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM APE1808: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125 An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all versions, and 6.4 all versions may allow an authenticated attacker to perform a denial-of-service on the SSLVPN web portal via a specially crafted URL. CVE-2024-36504 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 3.2.2 INSERTION OF SENSITIVE INFORMATION INTO SENT DATA CWE-201 An insertion of sensitive information into sent data vulnerability [CWE-201] in FortiOS 7.6.0, 7.4.0 through 7.4.4 may allow an attacker in a man-in-the-middle position to retrieve the RADIUS accounting server shared secret via intercepting accounting-requests. CVE-2024-46665 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). 3.2.3 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS versions 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow a remote unauthenticated attacker to prevent access to the GUI via specially crafted requests directed at specific endpoints. CVE-2024-46666 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 3.2.4 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple large file uploads. CVE-2024-46668 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.2.5 INTEGER OVERFLOW OR WRAPAROUND CWE-190 An Integer Overflow or Wraparound vulnerability in version 7.4.4 and below, version 7.2.10 and below; FortiSASE version 23.4.b FortiOS tenant IPsec IKE service may allow an authenticated attacker to crash the IPsec tunnel via crafted requests, resulting in potential denial-of-service. CVE-2024-46669 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). 3.2.6 OUT-OF-BOUNDS READ CWE-125 An Out-of-bounds Read vulnerability in FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below and FortiSASE FortiOS tenant version 24.3.b IPsec IKE service may allow an unauthenticated remote attacker to trigger memory consumption leading to denial-of-service via crafted requests. CVE-2024-46670 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.2.7 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.5 through 7.2.9, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, 7.2.0 through 7.2.11, 7.0.0 through 7.0.18, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to trigger an escalation of privilege via specially crafted packets. CVE-2024-48884 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.2.8 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiRecorder versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4, FortiWeb versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10, 6.4.0 through 6.4.3, FortiVoice versions 7.0.0 through 7.0.4, 6.4.0 through 6.4.9, 6.0.0 through 6.0.12 allows attacker to escalate privilege via specially crafted packets. CVE-2024-48885 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 3.2.9 OUT-OF-BOUNDS WRITE CWE-787 A out-of-bounds write in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4.0 through 6.4.15 allows attacker to trigger a denial-of-service via specially crafted packets. CVE-2024-52963 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 3.2.10 IMPROPER NEUTRALIZATION OF CRLF SEQUENCES IN HTTP HEADERS ('HTTP REQUEST/RESPONSE SPLITTING') CWE-113 An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized code or commands via crafted HTTP header. CVE-2024-54021 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: RUGGEDCOM APE1808: Contact customer support to receive patch and update information. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage For more information see the associated Siemens security advisory SSA-770770 in HTML and CSAF. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY February 13, 2025: Initial Publication
Analysis Summary
# Vulnerability: Multiple Critical and High Severity Flaws in FortiOS/FortiSASE (CVE-2024-36504, CVE-2024-46665, CVE-2024-46666, CVE-2024-46668, CVE-2024-46669, CVE-2024-46670, etc.)
## CVE Details
- CVE ID: Multiple (e.g., CVE-2024-36504, CVE-2024-46665, CVE-2024-46666, CVE-2024-46668, CVE-2024-46669, CVE-2024-46670)
- CVSS Score: Scores range from 3.5 (Low/Medium) to 7.5 (High)
- CVE-2024-46668 (7.5, High): Unauthenticated Denial of Service via resource exhaustion.
- CVE-2024-46670 (7.5, High): Unauthenticated Out-of-bounds Read leading to DoS.
- CWE: CWE-125 (Out-of-bounds Read), CWE-201 (Insertion of Sensitive Information Into Sent Data), CWE-770 (Allocation of Resources Without Limits or Throttling), Path Traversal, etc.
## Affected Systems
- Products: Fortinet FortiOS, FortiSASE (FortiOS tenant)
- Versions:
- **CVE-2024-36504 (OOB Read/DoS):** FortiOS 7.4.0–7.4.4, 7.2.0–7.2.8, 7.0 (all), 6.4 (all)
- **CVE-2024-46665 (Secret Leak):** FortiOS 7.6.0, 7.4.0–7.4.4
- **CVE-2024-46666 (DoS):** FortiOS 7.6.0, 7.4.0–7.4.4, 7.2 (all), 7.0 (all), 6.4 (all)
- **CVE-2024-46668 (DoS via Upload):** FortiOS 7.4.0–7.4.4, 7.2.0–7.2.8, 7.0.0–7.0.15, 6.4.0–6.4.15
- **CVE-2024-46669 (DoS via IPsec):** FortiOS versions $\le$ 7.4.4, $\le$ 7.2.10. FortiSASE version 23.4.b.
- **CVE-2024-46670 (OOB Read/DoS via IPsec):** FortiOS 7.6.0, $\le$ 7.4.4, $\le$ 7.2.9. FortiSASE tenant $\le$ 24.3.b.
- *Note: Other vulnerabilities affecting FortiManager and FortiProxy are also referenced in the source material, which lists extensive version ranges.*
- Configurations: Specific vulnerabilities target the SSLVPN web portal, IKE service, or allow exploitation via unauthenticated requests or large file uploads.
## Vulnerability Description
The advisory details multiple distinct vulnerabilities across several product lines, primarily impacting FortiOS and FortiSASE deployments. These flaws include:
1. **Out-of-bounds Read (CVE-2024-36504):** Allows an authenticated attacker via a crafted URL to cause a Denial of Service (DoS) on the SSLVPN web portal.
2. **Sensitive Information Disclosure (CVE-2024-46665):** An attacker in a Man-in-the-Middle (MITM) position can retrieve the RADIUS accounting server shared secret by intercepting accounting-requests.
3. **Resource Exhaustion/DoS (CVE-2024-46666, CVE-2024-46668):** Remote unauthenticated attackers can cause a DoS condition, either by accessing specific GUI endpoints or by consuming all system memory via multiple large file uploads.
4. **IPsec Weaknesses (CVE-2024-46669, CVE-2024-46670):** Integer Overflow and Out-of-bounds Read flaws in the IPsec IKE service can lead to denial-of-service conditions (crashing the tunnel or causing memory exhaustion) via crafted requests.
## Exploitation
- Status: No known public exploitation specifically targeting these vulnerabilities was reported to CISA at the time of the advisory.
- Complexity: Ranges from **Low** (for unauthenticated remote DoS) to **Medium/High** (for MITM scenarios).
- Attack Vector: Primarily **Network** (Remote).
## Impact
- Confidentiality: Vulnerable to leakage of secrets (Medium impact for CVE-2024-46665).
- Integrity: Potential for unauthorized code execution and privilege escalation (mentioned as a potential overall impact outcome).
- Availability: High impact due to Denial of Service conditions caused by multiple flaws (OOB Reads, resource exhaustion).
## Remediation
### Patches
The source document does not explicitly list patch versions but directs the user to the vendor advisories for details on fixed versions. Remediation requires updating to versions beyond the specified vulnerable ranges.
### Workarounds
General ICS recommendations provided by CISA include:
* Locate control system networks and remote devices behind firewalls and isolate them from business networks.
* When remote access is required, use secure methods like VPNs, ensuring VPN software is updated.
* Organizations must perform a proper impact analysis and risk assessment before deploying defensive measures.
## Detection
- Indicators of compromise: Look for unusual traffic patterns, excessive connection attempts across vulnerable services (SSLVPN, IPsec), unexpected service crashes, or large file upload activity directed at the appliance/GUI endpoints prior to service interruption.
- Detection methods and tools: Implement network monitoring to detect crafted malicious inputs against known vulnerable interfaces. Use logs generated by Fortinet security services to identify anomalies related to RADIUS accounting requests or unusual IKE activity.
## References
- Vendor advisories: Siemens ProductCERT Security Advisories (Note: CISA will no longer be updating ICS advisories for Siemens beyond the initial advisory).
- Relevant links - defanged:
- Vendor Security Publications: hXXps://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
- CSAF Link: hXXps://github.com/cisagov/CSAF
- ICS Cybersecurity Best Practices: hXXps://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf