Full Report
COMOS before V10.5 is affected by two local code execution vulnerabilities in the integrated Open Design Alliance Drawings SDK. Siemens has released a new version for COMOS and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Local Code Execution in Siemens COMOS via ODA Drawings SDK
## CVE Details
- CVE ID: CVE-2023-5180, CVE-2023-26495 (Two independent vulnerabilities noted)
- CVSS Score: 7.8 (High) for both noted CVEs (based on provided vector)
- CWE: CWE-787 (Out-of-bounds Write - CVE-2023-5180), CWE-416 (Use After Free - CVE-2023-26495)
## Affected Systems
- Products: Siemens COMOS
- Versions: All versions prior to V10.5
- Configurations: Requires processing a specially crafted file (DGN or DWG format) within the affected product context.
## Vulnerability Description
Two local code execution vulnerabilities stem from the integrated Open Design Alliance (ODA) Drawings SDK within COMOS:
1. **CVE-2023-5180 (Out-of-bounds Write):** Triggered when parsing a crafted DGN file. A corrupted value related to the number of sectors used by the Fat structure leads to an out-of-bounds write primitive.
2. **CVE-2023-26495 (Use-After-Free):** Triggered while parsing a specially crafted DWG file. This vulnerability, a Use-After-Free error, could be leveraged in conjunction with other flaws to achieve arbitrary code execution.
Both vulnerabilities allow an attacker to execute code in the context of the current process.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC potential is implied by the nature of the flaws.
- Complexity: Low (Based on CVSS vector AV:L/AC:L)
- Attack Vector: Local (AV:L). Exploitation requires the attacker to deliver a malicious file to the local user context for processing.
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- **Update to COMOS V10.5 or later version.** (Link provided: https://support.sw.siemens.com/product/222981661/)
### Workarounds
- Ensure all files imported into the affected product originate only from a trusted source.
- Ensure files are transmitted over secure channels.
- Enforce general security measures, including protecting network access to devices according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection methods specifically listed in the advisory focus on preventive measures (source/channel trust).
- Indicators of Compromise (IOCs) would typically relate to unexpected process execution originating from the COMOS application context after opening untrusted design files.
## References
- Siemens Advisory: SSA-659443 (Publication Date: 2024-08-13)
- General Siemens Industrial Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories