Full Report
COMOS is affected by two vulnerabilities that could allow an attacker to execute arbitrary code or lead to data infiltration. Siemens has released a new version for COMOS and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Siemens COMOS (Arbitrary Code Execution & Data Infiltration)
## CVE Details
Siemens COMOS is affected by two distinct vulnerabilities:
| CVE ID | CVSS Score | Severity | CWE | Description Focus |
| :--- | :--- | :--- | :--- | :--- |
| **CVE-2023-45133** | 9.3 | High (Critical) | CWE-184 (Incomplete List of Disallowed Inputs) | Arbitrary Code Execution during compilation via crafted code leveraging Babel's `@babel/traverse`. |
| **CVE-2024-0056** | 8.7 | High | CWE-319 (Cleartext Transmission of Sensitive Information) | Security Feature Bypass potentially leading to data infiltration via `Microsoft.Data.SqlClient` and `System.Data.SqlClient`. |
## Affected Systems
- **Products:** Siemens COMOS (with specific components affected depending on the CVE).
- **Versions:** All versions **prior to V10.4.5**.
- **CVE-2023-45133:** COMOS Web deployed instances.
- **CVE-2024-0056:** COMOS instances utilizing the COMOS Snapshots component.
- **Configurations:** Dependent on the specific component (COMOS Web or Snapshots).
## Vulnerability Description
The advisory details two independent flaws:
1. **CVE-2023-45133 (Arbitrary Code Execution):** This vulnerability stems from an issue within the Babel compiler's `@babel/traverse` component (which COMOS likely utilizes internally for code processing in the Web component). An attacker providing specifically crafted code could trigger arbitrary code execution during compilation when using Babel plugins that rely on the vulnerable `path.evaluate()` or `path.evaluateTruthy()` methods.
2. **CVE-2024-0056 (Data Infiltration Risk):** This relates to a security feature bypass concerning the SQL Data Provider components (`Microsoft.Data.SqlClient` and `System.Data.SqlClient`), potentially allowing an attacker to bypass intended security controls and access data in cleartext.
## Exploitation
- **Status:** The advisory does not explicitly state if the vulnerabilities are exploited in the wild, but PoC availability is implied by the detailed descriptions of CVE-2023-45133 (related to Babel plugins).
- **Complexity (CVE-2023-45133):** Low (requires network access to provide the crafted code input).
- **Complexity (CVE-2024-0056):** High (requires specific configuration and attack vector).
- **Attack Vector (Overall):** CVE-2023-45133 suggests a potential Network or Local vector depending on how the code compilation/input process is exposed. CVE-2024-0056 is likely Network-exploitable given the nature of SQL providers.
## Impact
- **Confidentiality:** High (Due to potential data infiltration from CVE-2024-0056).
- **Integrity:** High (Due to arbitrary code execution capability in CVE-2023-45133).
- **Availability:** High (Arbitrary code execution can lead to system disruption/denial of service).
## Remediation
### Patches
- **All Affected Versions:** Update to **COMOS V10.4.5 or later**.
### Workarounds
- Siemens recommends following the **General Security Recommendations**, which include:
- Protecting network access to devices with appropriate mechanisms.
- Configuring the environment according to Siemens' operational guidelines for Industrial Security.
- Following recommendations in the product manuals.
## Detection
- **Indicators of Compromise:** Not explicitly detailed, but monitoring for unusual compilation activity or unexpected network traffic related to internal SQL operations should be prioritized.
- **Detection methods and tools:** Reviewing system/application logs for evidence of the execution of the vulnerable Babel compilation paths or unexpected database connection attempts related to `System.Data.SqlClient`.
## References
- Siemens Security Advisory SSA-682326
- Siemens Industrial Security Portal: hXXps://www.siemens.com/industrialsecurity
- Siemens General Security Recommendations: hXXps://www.siemens.com/cert/operational-guidelines-industrial-security
- COMOS Product Support Portal (for updates): hXXps://support.sw.siemens.com/product/222981661/