Full Report
Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC before V22.6.3 and 23.1.0. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Nozomi Network’s upstream security notifications.
Analysis Summary
# Vulnerability: Multiple SQL Injection and DoS Flaws in Nozomi Guardian/CMC affecting RUGGEDCOM APE1808
## CVE Details
- CVE ID: CVE-2023-2567
- CVSS Score: 7.6 (High)
- CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CVE ID: CVE-2023-29245
- CVSS Score: 8.1 (High)
- CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CVE ID: CVE-2023-32649
- CVSS Score: 7.5 (High)
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products: Siemens RUGGEDCOM APE1808 devices running Nozomi Guardian / CMC.
- Versions: All versions running Nozomi Guardian / CMC before V22.6.3 or V23.1.0.
- Configurations: N/A (Specific to the version of the embedded Nozomi software).
## Vulnerability Description
The advisory covers three vulnerabilities within Nozomi Guardian/CMC affecting the RUGGEDCOM APE1808 platform:
1. **CVE-2023-2567 (SQL Injection):** An authenticated attacker can exploit improper input validation in certain parameters used in the Query functionality to execute arbitrary SQL queries, allowing extraction of uncontrolled, arbitrary information from the underlying DBMS.
2. **CVE-2023-29245 (SQL Injection):** An unauthenticated attacker can exploit improper input validation in fields used in the Asset Intelligence functionality by sending specially crafted network packets. This allows the attacker to execute arbitrary SQL statements, potentially extracting or altering database structure and data.
3. **CVE-2023-32649 (Denial of Service):** An unauthenticated attacker can exploit improper input validation in fields used in the Asset Intelligence functionality by sending specially crafted, malformed network packets. This allows the attacker to crash the IDS module, leading to a temporary period where network traffic is not analyzed until the module automatically restarts.
## Exploitation
- Status: PoC available (Implied by E:P status for all CVEs, indicating evidence of exploitability exists, though specific PoC availability isn't explicitly detailed as public).
- Complexity:
- CVE-2023-2567: Low (Requires Authentication)
- CVE-2023-29245: High (Unauthenticated, requires specific crafted packets)
- CVE-2023-32649: Low (Unauthenticated, requires specific crafted packets)
- Attack Vector: Network (AV:N for all listed CVEs)
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2023-2567** | High | Low | Low |
| **CVE-2023-29245** | High | High | High |
| **CVE-2023-32649** | No Impact | No Impact | High |
## Remediation
### Patches
- Customers must upgrade Nozomi Guardian / CMC to **V23.4.1** or newer.
- For obtaining the patch/update information, customers are advised to contact customer support.
### Workarounds
- **CVE-2023-2567:** Use internal firewall features to limit access to the web management interface.
- **CVE-2023-32649:** Monitor the IDS log to check for abnormal stops and restarts.
- Implement general security recommendations, including protecting network access according to Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Look for unusual database query activity related to the Query functionality (for CVE-2023-2567) or unexpected crashes/restarts of the IDS module (for CVE-2023-32649).
- **Detection methods and tools:** Monitor network traffic for specially crafted packets targeting the Asset Intelligence functionality (for CVE-2023-29245 and CVE-2023-32649). For SQL injection, monitor web application logs for abnormal query or input attempts.
## References
- Vendor advisories: Siemens Security Advisory SSA-292063
- Relevant links - defanged:
- https://security.nozominetworks.com/
- https://cert-portal.siemens.com/productcert/html/ssa-292063.html
- https://www.siemens.com/cert/operational-guidelines-industrial-security
- https://www.siemens.com/industrialsecurity
- https://www.siemens.com/cert/advisories