Full Report
QMS Automotive before V12.39 contains multiple vulnerabilities that could allow an attacker to perform malicious code injection, information disclosure or lead to a denial of service condition. Siemens has released an update for QMS Automotive and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens QMS Automotive
## CVE Details
This advisory covers 10 distinct vulnerabilities. The highest severity is:
- **CVE ID:** CVE-2023-40726
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-550 (Server-generated Error Message Containing Sensitive Information)
**Additional Included CVEs:**
- **CVE-2022-43958 (CVSS 7.6):** Plaintext password storage in DB (CWE-256)
- **CVE-2023-40724 (CVSS 7.3):** Cleartext credentials in memory (CWE-316)
- **CVE-2023-40725 (CVSS 4.0):** Username enumeration via error messages (CWE-209)
- **CVE-2023-40727 (CVSS 7.8):** Weak application signing in QMS.Mobile (CWE-347)
- **CVE-2023-40728 (CVSS 7.3):** Insecure external storage in QMS.Mobile (CWE-922)
- **CVE-2023-40729 (CVSS 7.3):** Cleartext transmission/Lack of HTTPS (CWE-319)
- **CVE-2023-40730 (CVSS 7.1):** Improper authorization in QMS.Mobile (CWE-284)
- **CVE-2023-40731 (CVSS 5.7):** Unrestricted file upload (CWE-434)
- **CVE-2023-40732 (CVSS 3.9):** Insufficient session expiration (CWE-613)
## Affected Systems
- **Products:** Siemens QMS Automotive (Quality Management System)
- **Versions:** All versions prior to V12.39
- **Configurations:** Systems utilizing the QMS.Mobile module are specifically susceptible to several of the listed flaws.
## Vulnerability Description
QMS Automotive contains a suite of security weaknesses ranging from cryptographic failures to broken access control. Key technical issues include the storage of user credentials in plaintext within both the database and system memory, allowing for easy account takeover. The application also fails to enforce HTTPS, exposing data to Man-in-the-Middle (MitM) attacks. Furthermore, the mobile component (QMS.Mobile) uses outdated signing mechanisms and insecure file storage, which could allow attackers to tamper with application code or inject malicious files.
## Exploitation
- **Status:** PoC Available (Exploit Code Maturity is listed as "Functional/Proof-of-Concept" in the CVSS vectors: E:P).
- **Complexity:** Low (Most vulnerabilities require low specialized knowledge to exploit).
- **Attack Vector:** Network (CVE-2023-40726/30/31), Adjacent (CVE-2022-43958/29), and Local (CVE-2023-40724/25/27/28/32).
## Impact
- **Confidentiality:** High (Plaintext credentials, information disclosure, and session hijacking).
- **Integrity:** High (Code tampering, unauthorized administrative functions, and file manipulation).
- **Availability:** Low to High (Potential for Denial of Service via insecure storage or unauthorized access).
## Remediation
### Patches
- **Update to V12.39 or later.**
- *Note:* The patch is not available via public download; it must be requested directly from Siemens customer support.
### Workarounds
- Protect network access to affected devices with firewalls and VPNs.
- Configure the environment according to Siemens' operational guidelines for Industrial Security.
- Hardening of the IT environment to restrict local access to memory and databases.
## Detection
- **Indicators of Compromise:** Large volumes of failed login attempts (username enumeration), unexpected file types in upload directories, and unencrypted HTTP traffic to the QMS server.
- **Detection methods:** Monitor database logs for unauthorized access to user tables, and use network traffic analysis to identify non-HTTPS communications.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-147266.pdf
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security