Full Report
Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC before V22.6.2. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Nozomi Network’s upstream security notifications.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Nozomi Guardian/CMC before V22.6.2 Affecting RUGGEDCOM APE1808
## CVE Details
This advisory groups multiple vulnerabilities. The highest scoring one detailed is:
- CVE ID: CVE-2023-22378
- CVSS Score: 7.1 (High)
- CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
*(Other CVEs include CVE-2023-22843 (6.4), CVE-2023-23574, CVE-2023-23903, CVE-2023-24015, CVE-2023-24471 (6.5), and CVE-2023-24477 (5.0))*
## Affected Systems
- Products: RUGGEDCOM APE1808 (running Nozomi Guardian / CMC)
- Versions: All versions using Nozomi Guardian / CMC **before V22.6.2**
- Configurations: Vulnerabilities generally require authentication or administrative access, though some are exploitable by unauthenticated/low-privileged users depending on the specific CVE.
## Vulnerability Description
The advisory aggregates several vulnerabilities disclosed by Nozomi Networks. Key technical details include:
- **CVE-2023-22378 (SQLi):** A blind SQL Injection vulnerability due to improper input validation in the sorting parameter, allowing an authenticated attacker to execute arbitrary SQL queries against the database.
- **CVE-2023-22843 (XSS):** An authenticated attacker with administrative access can inject malicious JavaScript into Threat Intelligence rule definitions (Yara rules) or limited HTML into packet/STYX rules, leading to Cross-Site Scripting (XSS) when other users view the rule details.
- **CVE-2023-24471 (Access Control):** An access control bypass flaw where restrictions on queries are not enforced in the debug functionality, allowing authenticated users with reduced visibility to obtain unauthorized data.
- **CVE-2023-24477 (Session Invalidation):** In certain timing conditions, session invalidation upon logout may be incomplete when using the Chrome browser, potentially allowing a local attacker to gain access to the original user's session.
## Exploitation
- Status: **PoC available** (Indicated by E:P in CVSS metrics for several CVEs, signaling exploitability is proven)
- Complexity: Varies (Low to Medium, as several require authentication/privilege but exploit vectors like SQLi and XSS are generally high-impact paths).
- Attack Vector: Primarily Network (AV:N) for most issues, though the session fixation issue (CVE-2023-24477) requires UI interaction (UI:R).
## Impact
Impact severity varies by CVE:
- **Confidentiality:** High (e.g., unauthorized information extraction via SQLi/Access Control bypass)
- **Integrity:** High (e.g., unauthorized actions performed by victims via XSS)
- **Availability:** Low to Medium (e.g., potential denial of service related to report loading failure in CVE-2023-23903)
## Remediation
### Patches
- **Upgrade Nozomi Guardian / CMC to V23.4.1.**
- Customers are advised to contact customer support to receive patch and update information for the RUGGEDCOM APE1808 specifics.
### Workarounds
Temporary mitigations provided by Siemens include:
1. Use internal firewall features to limit access to the web management interface.
2. Adopt best practices that include closing the browser completely after a logout.
3. Customers must consult Nozomi Network's upstream security notifications for other product-specific recommendations.
## Detection
- **Indicators of Compromise:** Not explicitly detailed in this advisory. Detection relies on monitoring for unusual database queries/traffic patterns targeting the application backend (for SQLi) or unauthorized script executions within the web application context (for XSS).
- **Detection methods and tools:** Customers are advised to follow general security guidelines and consult Siemens/Nozomi documentation for specific threat signatures once patches are released.
## References
- Vendor advisories: Nozomi Networks security notifications (Link provided in context but defanged below)
- Relevant links - defanged:
- Siemens Advisory SSA-647455: hxxps://cert-portal.siemens.com/productcert/html/ssa-647455.html
- Nozomi Upstream Alerts: hxxps://security.nozominetworks.com/alerts/