Full Report
TeleControl Server Basic V3.1 contains a deserialization vulnerability that could allow an unauthenticated attacker to execute arbitrary code on the device. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Remote Code Execution in Siemens TeleControl Server Basic V3.1
## CVE Details
- **CVE ID:** CVE-2024-44102
- **CVSS Score:** 10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- **CWE:** CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products:**
- TeleControl Server Basic V3.1 (Full Versions and Powerpacks)
- PP TeleControl Server Basic (various capacities: 8 to 5000)
- **Versions:** All versions prior to V3.1.2.1.
- **Configurations:** Systems are specifically vulnerable when **redundancy is configured**.
## Vulnerability Description
The affected application fails to properly validate or restrict user-supplied serialized objects. An unauthenticated remote attacker can send a maliciously crafted serialized object to the server. Because the software deserializes this untrusted data without sufficient security controls, the attacker can trigger the execution of arbitrary code with **SYSTEM privileges**.
## Exploitation
- **Status:** PoC Available (designated as "Proof-of-Concept" in CVSS vector E:P)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total compromise of information)
- **Integrity:** High (Total modification of system files/data)
- **Availability:** High (Total system shutdown or disruption)
## Remediation
### Patches
Siemens recommends updating affected products to **V3.1.2.1** or a later version.
- **Download Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109975921/
### Workarounds
- **Network Segmentation:** Protect network access to devices with appropriate firewalls and VLANs.
- **Operational Guidelines:** Adhere to Siemens’ operational guidelines for Industrial Security to ensure the device operates within a protected IT environment.
- **Access Restrictions:** Limit communication to the TeleControl Server to trusted internal assets only.
## Detection
- **Indicators of Compromise:** Monitor for unusual network traffic on ports associated with TeleControl redundancy synchronization. Look for unexpected processes running with SYSTEM privileges.
- **Detection methods and tools:** Utilize Intrusion Detection Systems (IDS) updated with signatures for CWE-502 (Insecure Deserialization) patterns specifically targeting Siemens industrial software ports.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-454789[.]html
- **Siemens Industrial Security Resources:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security