Full Report
Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Insufficient Session Expiration in Multiple Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2024-45386
- **CVSS Score:**
- CVSS v3.1: **8.8 (High)**
- CVSS v4.0: **8.7 (High)**
- **CWE:** CWE-613: Insufficient Session Expiration
## Affected Systems
The vulnerability affects several Siemens engineering and administrative frameworks:
- **SIMATIC PCS neo:** V4.0 (all versions), V4.1 (versions older than V4.1 Update 2), and V5.0 (versions older than V5.0 Update 1).
- **TIA Administrator:** All versions prior to V3.0.4.
- **Totally Integrated Automation Portal (TIA Portal):** V19 versions prior to V19 Update 1.
- **SIMOCODE ES V19:** All versions prior to V19 Update 1.
- **SIRIUS Safety ES V19 (TIA Portal):** All versions prior to V19 Update 1.
- **SIRIUS Soft Starter ES V19 (TIA Portal):** All versions prior to V19 Update 1.
## Vulnerability Description
Affected products fail to properly invalidate user sessions when a user logs out. Because the session remains active on the server side after the "logout" action, a remote unauthenticated attacker who has intercepted or otherwise obtained a valid session token (via man-in-the-middle, session hijacking, or local access) can continue to use that token to impersonate the user. This bypasses the security intent of the logout function.
## Exploitation
- **Status:** No reports of exploitation in the wild at this time; no public PoC provided in the advisory.
- **Complexity:** Low (exploitation is straightforward once a token is obtained).
- **Attack Vector:** Network (requires User Interaction to initially establish/obtain a session).
## Impact
- **Confidentiality:** High (Full access to the authenticated user's data).
- **Integrity:** High (Ability to modify configurations and settings as the user).
- **Availability:** High (Potential to disrupt automation services or change operational states).
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SIMATIC PCS neo V4.1:** Update to V4.1 Update 2.
- **SIMATIC PCS neo V5.0:** Update to V5.0 Update 1.
- **TIA Administrator:** Update to V3.0.4.
- **TIA Portal V19 / SIMOCODE ES / SIRIUS Safety ES / SIRIUS Soft Starter ES:** Update to V19 Update 1.
*Note: For SIMATIC PCS neo V4.0, no fix is currently planned.*
### Workarounds
For products where a fix is not yet available (e.g., PCS neo V4.0) or until patches can be applied:
- Ensure secure communication channels (HTTPS/TLS) to prevent session token interception.
- Implement strict access control and network segmentation to limit access to web-based management interfaces.
- Users should clear browser caches and cookies after logging out of sensitive industrial applications.
## Detection
- Monitor for concurrent sessions or session activity originating from unexpected IP addresses.
- Audit logs for administrative actions performed immediately after a known user logout event.
- Inspect network traffic for unencrypted session tokens if TLS is not enforced.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-342348[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Software Updates:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109825038/ (Example link for TIA Admin)