Full Report
RUGGEDCOM CROSSBOW before V5.3 contains two vulnerabilities that could allow authenticated remote attackers to access data they are not authorized for, or execute arbitrary database queries via an SQL injection attack. Siemens has released an update for RUGGEDCOM CROSSBOW and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Security Flaws in RUGGEDCOM CROSSBOW
## CVE Details
- **CVE ID:** CVE-2023-27463 (SQL Injection), CVE-2023-27462 (Missing Authorization)
- **CVSS Score:** 8.8 (High) / 3.1 (Low)
- **CWE:** CWE-89, CWE-862
## Affected Systems
- **Products:** RUGGEDCOM CROSSBOW (Secure Access Management Solution)
- **Versions:** All versions prior to V5.3
- **Configurations:** Systems where authenticated remote access is enabled.
## Vulnerability Description
RUGGEDCOM CROSSBOW is susceptible to two distinct vulnerabilities that affect the integrity and confidentiality of the database and its managed data:
1. **SQL Injection (CVE-2023-27463):** The audit log form fails to properly neutralize special elements in SQL commands. An authenticated attacker can inject malicious SQL queries into the server database.
2. **Missing Authorization (CVE-2023-27462):** The client query handler lacks sufficient permission checks for specific read queries, allowing authenticated users to access data beyond their assigned privileges.
## Exploitation
- **Status:** PoC available (Indicated by CVSS "Exploit Code Maturity: Proof-of-Concept")
- **Complexity:** Low (CVE-2023-27463) / High (CVE-2023-27462)
- **Attack Vector:** Network (Accessible remotely by an authenticated user)
## Impact
- **Confidentiality:** High (Unauthorized data access and database exposure)
- **Integrity:** High (Ability to execute arbitrary SQL queries/modify data)
- **Availability:** High (Potential database disruption via SQL injection)
## Remediation
### Patches
- **RUGGEDCOM CROSSBOW V5.3:** Siemens recommends upgrading to V5.3 or a later version to resolve these flaws. The update can be acquired via the Siemens Industry Online Support portal.
### Workarounds
- No specific product workarounds are provided. Siemens recommends following "General Security Recommendations" to mitigate risk.
## Detection
- **Indicators of Compromise:** Monitor database logs for unusual or malformed SQL syntax originating from the RUGGEDCOM CROSSBOW audit log service. Inspect access logs for users querying data outside of their typical role scopes.
- **Detection methods and tools:** Use SIEM or database activity monitoring (DAM) to flag unauthorized read attempts and SQL injection patterns (e.g., `' OR 1=1`).
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-320629.pdf
- **Update Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109813558/
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security