Full Report
The Opcenter Quality is affected by multiple vulnerabilities in the SmartClient modules Opcenter QL Home (SC), SOA Audit and SOA Cockpit. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Security Flaws in Siemens Opcenter Quality SmartClient
## CVE Details
This advisory covers seven distinct vulnerabilities. The highest severity is **7.5 (High)**.
* **CVE-2024-41979**: CVSS v4.0: 7.5 (High) | CWE-602: Client-Side Enforcement of Server-Side Security
* **CVE-2024-41980**: CVSS v4.0: 7.1 (High) | CWE-311: Missing Encryption of Sensitive Data
* **CVE-2024-41982**: CVSS v4.0: 5.9 (Medium) | CWE-311: Missing Encryption of Sensitive Data
* **CVE-2024-41983**: CVSS v4.0: 5.1 (Medium) | CWE-209: Generation of Error Message Containing Sensitive Information
* **CVE-2024-41984**: CVSS v4.0: 2.1 (Low) | CWE-209: Generation of Error Message Containing Sensitive Information
* **CVE-2024-41985**: CVSS v4.0: 2.1 (Low) | CWE-613: Insufficient Session Expiration
* **CVE-2024-41986**: CVSS v4.0: 6.1 (Medium) | CWE-327: Use of a Broken or Risky Cryptographic Algorithm
## Affected Systems
* **Products:** Opcenter Quality
* **Specific Modules:** SmartClient modules Opcenter QL Home (SC), SOA Audit, and SOA Cockpit.
* **Versions:** All versions from V13.2 up to (but excluding) V2506.
## Vulnerability Description
The affected modules suffer from several security weaknesses:
* **Improper Security Enforcement:** Some security checks are performed only on the client side, allowing attackers to bypass them by interacting directly with server-side SOAP services.
* **Insecure Data Handling:** Sensitive information, including LDAP credentials and database fields, is transmitted or stored without encryption.
* **Information Disclosure:** The application reveals sensitive system details (like SQL statements and system file paths) through verbose error messages in the Cockpit tool.
* **Session & Protocol Risks:** The application supports obsolete/insecure TLS 1.0/1.1 protocols and fails to properly expire idle sessions, increasing the risk of Man-in-the-Middle (MitM) and session hijacking attacks.
## Exploitation
* **Status:** Not exploited (No reports of exploitation in the wild; no PoC currently listed).
* **Complexity:** Ranges from **Low** (Information disclosure) to **High** (MitM and bypassing client-side checks).
* **Attack Vector:** **Adjacent** (Requires access to the local/adjacent network where the SmartClient is operated).
## Impact
* **Confidentiality:** **High** (Exposure of LDAP credentials, SQL structures, and database records).
* **Integrity:** **Low to Moderate** (Potential for unauthorized data modification through session hijacking or MitM).
* **Availability:** **Low** (Limited direct impact on system availability).
## Remediation
### Patches
Siemens recommends updating to the following version:
* **Opcenter Quality V2506** or later: [https://support.sw.siemens.com/product/249261320/](https://support.sw.siemens.com/product/249261320/)
### Workarounds
* **Protocol Hardening:** Disable SSL v2/v3 and TLS 1.0/1.1. Force the use of TLS 1.2.
* **Access Control:** Implement the principle of "least privilege" for all LDAP and database users.
* **Service Restriction:** Remove tools that allow SOAP service calls from outside the SmartClient.
* **IIS Hardening:** Hide the IIS version and restrict folder scanning/file extension access.
* **Network Isolation:** Operate the SmartClient only within a secured, isolated network context.
## Detection
* **Indicators of Compromise:** Unusual LDAP authentication traffic, unauthorized SOAP requests originating from non-standard clients, or evidence of network sniffing (MitM).
* **Detection methods:** Audit IIS logs for unauthorized access attempts to system folders and monitor network traffic for the use of deprecated TLS versions.
## References
* **Siemens Security Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-382999.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-382999.pdf)
* **Siemens Industrial Security Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)