Full Report
Palo Alto Networks has published [1] information on vulnerabilities in PAN-OS. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens has released a new version of Palo Alto Networks Virtual NGFW for RUGGEDCOM APE1808 and recommends to update to the latest version. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks’ upstream security notifications. [1] https://security.paloaltonetworks.com/
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW (RUGGEDCOM APE1808)
## CVE Details
- **CVE ID:** Primary high-impact CVEs include CVE-2024-3400, CVE-2023-38802, CVE-2025-0127, CVE-2024-5916, CVE-2024-8688, and several others (Total 20+ CVEs).
- **CVSS Score:** 9.8 (Critical) / CVSS v4.0: 8.7
- **CWE:** CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation), among others.
## Affected Systems
- **Products:** Siemens RUGGEDCOM APE1808 (Application Processing Engine).
- **Versions:** All versions running Palo Alto Networks Virtual NGFW (Next-Generation Firewall) before V11.1.2-h3.
- **Configurations:**
- Systems with BGP routing enabled are specifically susceptible to certain denial-of-service vulnerabilities.
- Software versions before V11.0.4 are affected by CVE-2025-0127.
## Vulnerability Description
This advisory addresses a collection of vulnerabilities inherited from the upstream Palo Alto Networks PAN-OS software integrated into Siemens RUGGEDCOM hardware. The flaws range from OS Command Injection, which allows unauthenticated attackers to execute arbitrary code with root privileges, to improper neutralization of special elements and vulnerabilities in BGP routing stacks that can result in system crashes or unauthorized access.
## Exploitation
- **Status:** **Exploited in the wild (specifically CVE-2024-3400)**; PoCs available for multiple listed CVEs.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote exploitation is possible for many of the listed CVEs).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Palo Alto Networks Virtual NGFW V11.1.2-h3:** Siemens recommends upgrading to this version or later.
- **Action:** Customers should contact Siemens customer support to receive specific patch and update instructions for the APE1808 platform.
### Workarounds
- Consult the upstream Palo Alto Networks security advisories for specific feature-based mitigations (e.g., disabling specific services if not in use).
- Limit access to the management interface to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative activity, unexplained system reboots (potential DoS), or unauthorized files in the PAN-OS root directory.
- **Detection Methods:**
- Utilize intrusion prevention system (IPS) signatures provided by Palo Alto Networks for CVE-2024-3400.
- Review BGP session logs for unexpected resets or malformed updates.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens.com/productcert/pdf/ssa-455250.pdf
- **Palo Alto Networks Security Advisories:** hxxps://security.paloaltonetworks.com/
- **PAN-W Informational Bulletin:** hxxps://security.paloaltonetworks.com/PAN-SA-2024-0004
- **Siemens ProductCERT:** hxxps://www.siemens.com/cert/advisories