Full Report
An OpenSSH vulnerability, known as regreSSHion, affects multiple Siemens industrial products. This security regression vulnerability consists in a race condition which may allow an unauthenticated remote attacker to achieve remote code execution with high impact on the affected system. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: regreSSHion (OpenSSH Race Condition) in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2024-6387
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-364: Signal Handler Race Condition
## Affected Systems
- **Products:**
- Industrial Edge Management OS (IEM-OS)
- SINAMICS IIoT module
- SINEMA Remote Connect Server
- SINUMERIK ONE
- **Versions:**
- **IEM-OS:** All versions
- **SINAMICS IIoT module:** All versions < V1.0 HF1
- **SINEMA Remote Connect Server:** All versions < V3.2 SP2
- **SINUMERIK ONE:** All versions < V6.24
- **Configurations:** Systems where the SSH port (default 22/tcp) is open and accessible. For SINUMERIK ONE, this applies to interfaces X120, X127, and X130.
## Vulnerability Description
This is a security regression of a 2006 flaw (CVE-2006-5051) found in the OpenSSH server (`sshd`). The vulnerability stems from a race condition where `sshd` handles specific signals in an unsafe manner. An unauthenticated remote attacker can trigger this flaw by failing to complete the authentication process within a specific timeout period. If successfully exploited, this allows the attacker to execute arbitrary code with root privileges.
## Exploitation
- **Status:** PoC available (Technically identified as a regression; public exploits for the "regreSSHion" flaw exist in the security community).
- **Complexity:** High
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full system access/root privileges)
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Siemens has released the following updates to address the flaw:
- **SINAMICS IIoT module:** Update to **V1.0 HF1** or later.
- **SINEMA Remote Connect Server:** Update to **V3.2 SP2** or later.
- **SINUMERIK ONE:** Update to **V6.24** or later (contact Siemens customer support or local partners for the software).
*Note: For IEM-OS, no fix is currently planned; users must apply workarounds.*
### Workarounds
- **Disable SSH:** Turn off the SSH service on the device if it is not required for operations.
- **Access Control:** Restrict SSH access (port 22/tcp) via firewall rules so only trusted, authorized management systems can connect.
- **Port Obfuscation:** Change the default SSH port from 22/tcp to a non-standard port to reduce exposure to automated scanning and mass exploitation tools.
## Detection
- **Indicators of Compromise:** Monitor system logs for repeated failed authentication attempts from unknown IPs followed by unexpected system crashes or high-privilege account activity.
- **Detection Methods:** Vulnerability scanners can identify outdated OpenSSH versions. For SINUMERIK ONE systems, audit interfaces X120, X127, and X130 to confirm if the SSH port is active.
## References
- **Siemens Security Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-446545[.]html
- **Operational Guidelines for Industrial Security:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories