Full Report
Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC before 23.4.1. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens has released a new version for RUGGEDCOM APE1808 and recommends to update to the latest version. Customers are advised to consult and implement the workarounds provided in Nozomi Network’s upstream security notifications.
Analysis Summary
This summary focuses on the vulnerabilities affecting Siemens RUGGEDCOM APE1808 devices due to outdated Nozomi Guardian/CMC software versions, based on the referenced Siemens and Nozomi advisories.
# Vulnerability: Multiple Vulnerabilities in Nozomi Guardian/CMC Affecting RUGGEDCOM APE1808
## CVE Details
- **CVE ID:** CVE-2023-6916
- **CVSS Score:** 7.2 (High)
- **CWE:** CWE-522: Insufficiently Protected Credentials
- **CVE ID:** CVE-2024-0218
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:** Siemens RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0) and RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1).
- **Versions:** All versions running Nozomi Guardian / CMC before version 23.4.1.
- **Configurations:** N/A (Vulnerability exists based on the embedded software version).
## Vulnerability Description
**CVE-2023-6916 (Credential Exposure/Privilege Escalation):** Audit records for OpenAPI requests may include sensitive information. This vulnerability could lead to unauthorized access and potential privilege escalation.
**CVE-2024-0218 (Denial of Service):** A vulnerability exists due to improper input validation in certain fields used during the Radius parsing functionality within the IDS module. An unauthenticated attacker sending specially crafted malformed network packets can cause the IDS module to stop updating nodes, links, and assets, thereby halting network traffic analysis until the module is restarted.
## Exploitation
- **Status:** PoC available (Indicated by E:P in CVSS vector for both CVEs, suggesting proof-of-concept exploitation exists, though not confirmed as exploited in the wild by this advisory).
- **Complexity:** Low (CVE-2024-0218 suggests Low Attack Complexity (AC:L) and No User Interaction (UI:N)).
- **Attack Vector:** Network (AV:N for both CVEs).
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2023-6916** | High | High | High |
| **CVE-2024-0218** | None | None | High |
## Remediation
### Patches
- **Primary Action:** Upgrade the embedded Nozomi Guardian / CMC software to **V23.4.1** or later. Customers must contact their support channels to receive the specific patch and update information.
### Workarounds
For **CVE-2023-6916**:
1. Create specific users dedicated for OpenAPI usage, ensuring these users possess only minimal necessary permissions.
2. Limit API keys to only permitted IP addresses.
3. Regenerate existing API keys periodically and review audit records for API key sign-ins.
**General Mitigation:**
* Implement appropriate network access protection mechanisms for the devices.
* Configure the environment following Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Monitoring audit logs for unusual OpenAPI traffic patterns or unexpected privilege escalations (related to CVE-2023-6916). Observing loss of network monitoring data (nodes/links/assets not refreshing) until IDS restart (related to CVE-2024-0218).
- **Detection Methods and Tools:** Utilize the capabilities of Nozomi Guardian/CMC itself to monitor for suspicious API activity or integrity failures once the patch level is addressed. Check for unusually crafted network packets targeting the Radius parsing function if deep packet inspection is deployed upstream.
## References
- Siemens Security Advisory: SSA-292022
- Upstream Vendor Advisories: Nozomi Networks security notifications (Refer to the official advisory for full details on Nozomi's findings regarding CVE-2023-6916 and CVE-2024-0218).