Full Report
QMS Automotive contains a vulnerability that stores user credentials in plantext within the user database. This could allow an attacker to read credentials from memory. Siemens has released an update for QMS Automotive and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Plaintext Storage of User Credentials in QMS Automotive
## CVE Details
- **CVE ID:** CVE-2022-43958
- **CVSS Score:** 7.6 (High)
- **CWE:** CWE-256: Plaintext Storage of a Password
## Affected Systems
- **Products:** QMS Automotive
- **Versions:** All versions prior to V12.39
- **Configurations:** Systems where the "Enable encryption for user passwords" setting is not activated.
## Vulnerability Description
The QMS Automotive software fails to apply a hashing mechanism to user credentials stored within its database. Because the passwords remain in plaintext, an attacker with access to the database or system memory can read valid credentials. This flaw facilitates unauthorized access and the impersonation of legitimate users within the quality management system.
## Exploitation
- **Status:** PoC available (per CVSS Exploit Code Maturity: "P" / Proof-of-concept)
- **Complexity:** Low
- **Attack Vector:** Adjacent (Requires access to the local or adjacent network)
## Impact
- **Confidentiality:** High (Cleartext credentials can be retrieved)
- **Integrity:** High (Attacker can impersonate users and modify quality management data)
- **Availability:** Low (Possible limited disruption through account manipulation)
## Remediation
### Patches
- **QMS Automotive V12.39:** Siemens recommends updating to this version or later.
- *Note: The patch is available upon request from Siemens customer support.*
### Workarounds
- **Manual Configuration:** Enable the "encryption for user passwords" feature. This can be found in the user manual under the ‘Administration’ section.
- **Access Control:** Restrict network access to the database and application servers to authorized personnel only.
## Detection
- **Indicators of Compromise:** Review database query logs for unusual access to user credential tables. Monitor for logins originating from unexpected IP addresses or at unusual times.
- **Detection Methods:** Inspect the database schema and contents (specifically user tables) to verify if passwords are encrypted/hashed or stored in plaintext.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-587547[.]pdf
- **Siemens Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens Industrial Security:** hxxps://www[.]siemens[.]com/industrialsecurity