Full Report
COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations. Siemens has released an update for COMOS and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Security Flaws in Siemens COMOS
## CVE Details
- **CVE IDs:**
- **Critical:** CVE-2020-25020, CVE-2023-43505, CVE-2023-46601 (Scores: 9.6 - 9.8)
- **High/Medium:** CVE-2020-35460, CVE-2022-23095, CVE-2022-28807, CVE-2022-28808, CVE-2022-28809, CVE-2023-0933, CVE-2023-1530, CVE-2023-2931, CVE-2023-2932, CVE-2023-22669, CVE-2023-22670, CVE-2023-43503, CVE-2023-43504
- **CVSS Score:** Up to 9.8 (Critical)
- **CWEs:** CWE-611 (XXE), CWE-284 (Improper Access Control), CWE-22 (Path Traversal), CWE-120 (Buffer Overflow)
## Affected Systems
- **Products:** Siemens COMOS (Unified data platform for plant design/management).
- **Versions:**
- All versions < V10.4.4 (for most CVEs).
- All versions (for CVE-2023-43505 and CVE-2023-46601).
- **Configurations:** Systems utilizing SMB shares for document storage or direct SQL Server connections without secondary access control layers.
## Vulnerability Description
COMOS is affected by a suite of vulnerabilities ranging from flaws in third-party components (MPXJ, ODA Drawings SDK) to native configuration issues. Key flaws include:
- **XXE and Path Traversal:** Improper handling of XML and ZIP streams (MPXJ library) allowing arbitrary file reads or writes.
- **Access Control Failures:** Lack of proper restrictions on SMB shares and SQL Server connections, allowing unauthorized data access or database queries.
- **Memory Corruption:** Classic buffer overflows in file parsing components that could lead to Remote Code Execution (RCE).
- **Insecure Execution:** Presence of legacy executables (e.g., `ptmcast.exe`) susceptible to exploitation.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" status in advisory).
- **Complexity:** Low to Medium.
- **Attack Vector:** Primarily Network (Remote).
## Impact
- **Confidentiality:** High (Unauthorized access to plant design data and databases).
- **Integrity:** High (Ability to modify files, write to arbitrary locations, or alter database records).
- **Availability:** High (Potential for Denial of Service and system instability).
## Remediation
### Patches
- **Update to COMOS V10.4.4 or later:** Resolves the majority of CVEs.
- **Database Update:** After upgrading to V10.4.4, users must update the COMOS database to **version 25** to remediate CVE-2023-43503. Note: This action is irreversible for older versions.
- **Manual File Removal:** For CVE-2023-43504, manually delete `ptmcast.exe` from the COMOS `bin` folder if it exists.
### Workarounds
- **Access Control Layers:** For CVE-2023-43505 and CVE-2023-46601 (which have no planned fix), use an application server like **Citrix** to create a security perimeter.
- **Isolation:** Ensure file shares and databases are accessible *only* by the application server, not the end-user network.
- **Trust Verification:** Import files only from trusted sources over secure channels.
## Detection
- **Indicators of Compromise:** Unusual SMB traffic to document shares; unauthorized SQL queries originating from COMOS user workstations; presence of `ptmcast.exe` on updated systems.
- **Detection Methods:** Audit folder permissions on document shares; monitor database logs for direct, non-application-brokered connections.
## References
- Siemens Advisory SSA-137900: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-137900.pdf
- Siemens Industrial Security Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- COMOS Security Configuration Guide: hxxps://support.industry.siemens[.]com/cs/document/109823629/