Full Report
Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC before 24.2.0. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Access Control Flaw in Nozomi Guardian/CMC Leading to Limited Configuration Modification and Potential Data Exfiltration
## CVE Details
- CVE ID: CVE-2024-4465
- CVSS Score: 6.0 (Medium)
- CWE: CWE-863: Incorrect Authorization
## Affected Systems
- Products: RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0) and RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1) running Nozomi Guardian / CMC.
- Versions: All versions running Nozomi Guardian / CMC before V24.3.1.
- Configurations: Instances with a reporting configuration enabled.
## Vulnerability Description
CVE-2024-4465 stems from a missing or improperly enforced access restriction within the Reports section of Nozomi Guardian/CMC. A logged-in user with only reporting privileges can exploit this flaw by crafting a specific application request. This allows the user to make limited changes to the reporting configuration. The primary consequences include a partial loss of data integrity, limited Denial of Service (DoS) if reports fail to reach their destination, and potential information disclosure. Critically, the attacker can modify the destination SMTP server for reports, potentially causing sensitive data (including external credentials if reported) to be sent to an attacker-controlled server.
## Exploitation
- Status: Not explicitly stated as exploited in the wild; the advisory focuses on remediation. PoC availability is not detailed.
- Complexity: Based on the description ("learns how to create a specific application request"), exploitation likely requires **Medium** complexity from an authenticated, low-privileged user.
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: Limited (L) - Potential information disclosure, especially regarding external credentials if report destinations are modified.
- Integrity: Limited (L) - Partial loss of data integrity due to limited configuration changes.
- Availability: Limited (L) - Limited DoS impact if reports fail to be delivered.
## Remediation
### Patches
- Upgrade Nozomi Guardian / CMC to **V24.3.1** on the affected RUGGEDCOM APE1808 devices.
- Customers must contact customer support to receive patch and update information for the embedded Nozomi component.
### Workarounds
- **Restrict access** to the affected components to only trusted personnel.
- Follow Siemens' general security recommendations, including protecting network access to devices using appropriate mechanisms and configuring environments according to Siemens' operational guidelines for Industrial Security.
## Detection
- Indicators of Compromise: Look for unexpected changes in the reporting configuration, specifically modifications to the destination SMTP server settings for reports.
- Detection methods and tools: Monitoring configuration management logs within the Nozomi Guardian/CMC interface for unauthorized changes by users with limited privileges.
## References
- Vendor advisories: SSA-254396
- Relevant links - defanged:
- https://cert-portal.siemens.com/productcert/html/ssa-254396.html
- https://www.siemens.com/cert/operational-guidelines-industrial-security
- https://www.siemens.com/industrialsecurity
- https://security.nozominetworks.com/alerts/