Full Report
RUGGEDCOM CROSSBOW V5.2 fixes two vulnerabilities that could allow authenticated remote attackers to perform unauthorized actions (CVE-2023-27309) or escalate privileges (CVE-2023-27310). Siemens has released an update for RUGGEDCOM CROSSBOW and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Unauthorized Actions and Privilege Escalation in Siemens RUGGEDCOM CROSSBOW
## CVE Details
- **CVE ID:** CVE-2023-27309
- **CVSS Score:** 5.0 (Medium)
- **CWE:** CWE-862 (Missing Authorization)
- **CVE ID:** CVE-2023-27310
- **CVSS Score:** 6.6 (Medium)
- **CWE:** CWE-862 (Missing Authorization)
## Affected Systems
- **Products:** RUGGEDCOM CROSSBOW
- **Versions:** All versions prior to V5.2
- **Configurations:** Systems where the client query handler is accessible to authenticated remote users.
## Vulnerability Description
Both vulnerabilities exist within the **client query handler** of the RUGGEDCOM CROSSBOW application due to insufficient permission validation.
- **CVE-2023-27309:** The application fails to verify proper permissions for specific write queries. An authenticated attacker can exploit this to perform actions they/them are not authorized to execute.
- **CVE-2023-27310:** The application fails to check for proper permissions specifically when assigning groups to user accounts. This allows an attacker to assign administrative groups to non-privileged accounts.
## Exploitation
- **Status:** PoC available (Note: CVSS Exploit Code Maturity is "P" - Proof-of-Concept)
- **Complexity:** High (Both CVEs require specific conditions and authenticated access)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low (CVE-2023-27309) to High (CVE-2023-27310)
- **Integrity:** Low (CVE-2023-27309) to High (CVE-2023-27310)
- **Availability:** Low (CVE-2023-27309) to High (CVE-2023-27310)
*Combined Impact: Full compromise of the management solution via privilege escalation.*
## Remediation
### Patches
- Siemens recommends updating to **RUGGEDCOM CROSSBOW V5.2** or later.
- Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109813558/
### Workarounds
- No specific product-level workaround is provided other than the software update.
- Implement **General Security Recommendations**:
- Protect network access to devices with appropriate security mechanisms (Firewalls, VLANs).
- Operate devices in a protected IT environment following Siemens’ operational guidelines.
## Detection
- **Indicators of Compromise:** Monitor audit logs for unauthorized write queries or unexpected changes to user group assignments (specifically the elevation of non-privileged users to administrative groups).
- **Detection methods and tools:** Audit RUGGEDCOM CROSSBOW user accounts and permissions for discrepancies. Utilize SIEM/Log Management to flag permission-related errors or successes from low-privileged accounts targeting administrative functions.
## References
- Siemens Advisory SSA-260625: hxxps://cert-portal.siemens.com/productcert/pdf/ssa-260625.pdf
- Siemens Industrial Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- CWE-862: hxxps://cwe.mitre.org/data/definitions/862.html