Full Report
InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in InterMesh Subscriber Devices
## CVE Details
- **CVE ID:** CVE-2024-47901, CVE-2024-47902, CVE-2024-47903, CVE-2024-47904
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-306 (Missing Authentication), CWE-250 (Unnecessary Privileges), CWE-266 (Incorrect Privilege Assignment)
## Affected Systems
- **Products:**
- InterMesh 7177 Hybrid 2.0 Subscriber
- InterMesh 7707 Fire Subscriber
- **Versions:**
- 7177 Hybrid: All versions < V8.2.12
- 7707 Fire: All versions < V7.2.12
- **Configurations:**
- For the **7707 Fire Subscriber**, the device is only vulnerable if the IP interface is enabled (it is disabled by default).
## Vulnerability Description
The InterMesh Subscriber devices suffer from a chain of security flaws within their web server component and local operating system:
1. **Command Injection (CVE-2024-47901):** The web server fails to sanitize input parameters in specific GET requests.
2. **Missing Authentication (CVE-2024-47902):** Critical functions (like the `ping` command) can be executed via GET requests without any authentication.
3. **Insecure File Writing (CVE-2024-47903):** The web server allows writing arbitrary files to the `DocumentRoot` directory.
4. **Privilege Escalation (CVE-2024-47904):** A SUID binary exists that allows users to execute commands with root privileges.
When combined, these flaws allow a remote, unauthenticated attacker to bypass security controls and execute arbitrary code with full root-level access.
## Exploitation
- **Status:** PoC not explicitly mentioned as public, but technical details are documented by the researcher (Jean Pereira).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Potential for complete system takeover or denial of service)
## Remediation
### Patches
Siemens recommends updating to the following versions immediately:
- **InterMesh 7177 Hybrid 2.0:** Update to **V8.2.12** or later.
- **InterMesh 7707 Fire:** Update to **V7.2.12** or later.
### Workarounds
- **Disable IP Interface:** Specifically for the 7707 Fire Subscriber, ensure the IP interface is disabled if not strictly required.
- **Access Control:** Restrict InterMesh network access to trusted personnel and systems only.
- **Environment Isolation:** Deploy devices within protected IT environments following general industrial security best practices.
## Detection
- **Indicators of Compromise:**
- High-frequency GET requests to the web server containing shell metacharacters (e.g., `;`, `|`, `&`).
- Unexpected files appearing in the web server's `DocumentRoot` directory.
- Unauthorized executions of the `ping` utility through the web interface.
- **Detection methods:** Monitor network traffic for unauthenticated web requests to administrative endpoints and audit system logs for unconventional root-level activity initiated by the web server process.
## References
- **Vendor Advisory:** hXXps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-333468[.]pdf
- **AES Corporation Product Page:** hXXps[://]aes-corp[.]com/product/7177h-88-ulp-intellinet-2-0-hybrid-subscriber/
- **Siemens ProductCERT:** hXXps[://]www[.]siemens[.]com/cert/advisories