Full Report
OZW672 and OZW772 Web Server versions before V5.2 contain a stored cross-site scripting (XSS) vulnerability that could allow an authenticated remote attacker to inject arbitrary JavaScript code that is later executed by another authenticated victim user with potential higher privileges than the attacker. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Stored XSS in Siemens OZW672 and OZW772 Web Servers
## CVE Details
- **CVE ID:** CVE-2024-36140
- **CVSS Score:** 6.8 (Medium) via CVSS v3.1 / 8.2 (High) via CVSS v4.0
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** OZW672 and OZW772 Web Servers (used for remote monitoring of building controllers, e.g., HVAC systems).
- **Versions:** All versions prior to V5.2.
- **Configurations:** Systems where authenticated users have access to the web interface, specifically the "user accounts" tab.
## Vulnerability Description
The "user accounts" tab within the web interface of the affected OZW devices fails to properly neutralize user-supplied input. This flaw allows an authenticated remote attacker to inject malicious JavaScript code into the application's database (stored XSS). This code is subsequently executed in the browser context of any other authenticated user who views the affected page.
## Exploitation
- **Status:** Not reported as exploited in the wild; PoC not publicly disclosed.
- **Complexity:** Low (Standard exploitation of input fields).
- **Attack Vector:** Network (Remote).
- **Prerequisites:** Attacker must have at least low-privileged authenticated access to the device.
- **User Interaction:** Required (a victim user must navigate to the compromised "user accounts" tab).
## Impact
- **Confidentiality:** None (Directly).
- **Integrity:** High (The attacker can execute scripts to perform actions as the victim, potentially modifying system configurations).
- **Availability:** None.
- **Scope Extension:** In CVSS v3.1, the "Changed" scope indicates the vulnerability can impact the security of the user's browser environment beyond the OZW application itself.
## Remediation
### Patches
Siemens recommends updating affected devices to the most recent version available (Note: while V5.2 was the initial fix, it is no longer hosted; users should use current versions).
- **OZW672:** Update to V5.2 or later versions.
- **OZW772:** Update to V5.2 or later versions.
### Workarounds
- **Network Segmentation:** Protect network access to affected products with appropriate firewalls or VPNs.
- **Environment Isolation:** Run devices only within a protected/trusted IT environment.
- **Access Control:** Restrict web interface access to trusted administrative users only.
## Detection
- **Indicators of Compromise:** Unusual scripts or unexpected characters appearing in the "user accounts" fields.
- **Detection methods:** Manual auditing of user account profiles for injected `<script>` tags or automated web application vulnerability scanners.
## References
- **Siemens Security Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-230445.pdf
- **OZW672 Support/Downloads:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/62567396/
- **OZW772 Support/Downloads:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/62564534/
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories