Full Report
INTRALOG WMS before V4 is affected by vulnerabilities in the SQL Client-Server communication and in the .NET framework. Successful exploitation could allow an unauthenticated attacker located in the INTRALOG WMS network to decrypt and modify client-server communication, or potentially execute arbitrary code on the application servers. Siemens has released a new version for INTRALOG WMS and recommends to update to the latest version. Please contact your personal INTRALOG WMS contact person referencing the Siemens Security Advisory ID (SSA-417547) and the installed INTRALOG WMS Versions to initiate the dialog with Siemens to get the vulnerabilities fixed.
Analysis Summary
# Vulnerability: Multiple Flaws in INTRALOG WMS Affecting Client-Server Communication and Execution Environment
## CVE Details
- CVE ID: Consolidated under SSA-417547, referencing **CVE-2024-0056** and **CVE-2024-30045**.
- CVSS Score: **8.0** (CVSS 3.1) combining impacts. Individual highest scores noted are **8.7** (CVE-2024-0056) and **6.3** (CVE-2024-30045, CVSS 3.1 Base).
- CWE: CWE-319 (Cleartext Transmission - for CVE-2024-0056); CWE-122 (Heap-based Buffer Overflow - for CVE-2024-30045).
## Affected Systems
- Products: INTRALOG WMS (Warehouse Management Solution).
- Versions: All versions **before V4**.
- Configurations: Exploitation requires the attacker to be **located in the controlled network of the INTRALOG WMS deployment** (Adjacent Network Access required for product-specific vectors).
## Vulnerability Description
The advisory addresses multiple vulnerabilities stemming from issues in the SQL Client-Server communication layer (related to Microsoft.Data.SqlClient/System.Data.SqlClient) and flaws within the underlying .NET framework components used by INTRALOG WMS.
1. **CVE-2024-0056 (Data Provider Flaw):** A flaw related to cleartext transmission or security bypass in the SQL data provider. This allows an attacker to **decrypt and/or modify the communication** between the INTRALOG WMS SQL clients and servers.
2. **CVE-2024-30045 (.NET Flaw):** A vulnerability in the .NET framework (likely a Buffer Overflow, CWE-122). Successful exploitation could lead to the **execution of arbitrary code** on the INTRALOG WMS application servers.
## Exploitation
- Status: Vendor advisory indicates findings, but does not explicitly state exploitation in the wild. **PoC availability status is not specified**, but given the nature of RCE and data modification, high risk is implied.
- Complexity: **High** for CVE-2024-0056 (CVSS 3.1 AV:N/AC:H) due to required high complexity (AC:H) in some contexts; **Low** for CVE-2024-30045 (CVSS 3.1 AV:N/AC:L). Product-context adjustments reduce network-based access to **Adjacent (AV:A)**.
- Attack Vector: **Adjacent Network** (Attacker must be within the INTRALOG WMS network/domain).
## Impact
- Confidentiality: **High** (Ability to decrypt client-server communication in CVE-2024-0056).
- Integrity: **High** (Ability to modify client-server communication in CVE-2024-0056, and potential code execution in CVE-2024-30045).
- Availability: **Low/Medium** (Potential denial of service via RCE if exploited, but primary focus is on C/I).
## Remediation
### Patches
- **Update to INTRALOG WMS Version V4 or later.**
- Users must contact their personal INTRALOG WMS contact person, referencing **SSA-417547** and their installed versions to initiate the process for obtaining the fixed version.
### Workarounds
- No specific, explicit technical workarounds are detailed beyond general security recommendations.
- **Mitigation Recommendation:** Protect network access to devices using appropriate mechanisms and configure the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection details are not explicitly provided in the summary.
- **Indicators of Compromise (IOCs):** Likely involve analysis of network traffic for unencrypted SQL communication patterns (if CVE-2024-0056 is leveraged) or unexpected process execution/memory corruption anomalies on application servers (if CVE-2024-30045 is leveraged).
- **Detection Methods:** Review network monitoring/firewall logs for suspicious adjacent network traffic targeting SQL ports not using strong encryption, and audit system logs for RCE indicators.
## References
- Vendor Advisory ID: **SSA-417547**
- Microsoft MSRC Reference for CVE-2024-0056: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056
- Microsoft MSRC Reference for CVE-2024-30045: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30045
- Siemens Industrial Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security