Full Report
COMOS is affected by XXE injection vulnerabilities that could allow an attacker to extract arbitrary application files. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: XXE Injection in Siemens COMOS
## CVE Details
* **CVE ID:** CVE-2024-49704, CVE-2024-54005
* **CVSS Score:**
* CVE-2024-49704: 5.5 (Medium) / CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2024-54005: 5.1 (Medium) / CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* **CWE:** CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
* **Products:** Siemens COMOS (Unified data platform for plant design/management)
* **Versions:**
* **COMOS V10.3:** All versions < V10.3.3.5.8
* **COMOS V10.4.0, V10.4.1, V10.4.2:** All versions
* **COMOS V10.4.3:** All versions < V10.4.3.0.47
* **COMOS V10.4.4:** All versions < V10.4.4.2
* **COMOS V10.4.4.1:** All versions < V10.4.4.1.21
* **Configurations:** Specifically affects the Generic Data Mapper, Engineering Adapter, Engineering Interface, and PDMS/E3D Engineering Interface components.
## Vulnerability Description
COMOS components improperly handle XML External Entity (XXE) entries when parsing configuration files or communicating with external applications.
* **CVE-2024-49704:** Occurs during the parsing of configuration and mapping files.
* **CVE-2024-54005:** Occurs in the PDMS/E3D Engineering Interface during communication with external applications via an insecure channel.
## Exploitation
* **Status:** Not exploited (No known PoC mentioned in the advisory).
* **Complexity:**
* CVE-2024-49704: Low (Requires user interaction to open a malicious file).
* CVE-2024-54005: Medium/High (Requires injecting data into the communication channel).
* **Attack Vector:** Local (Attacker requires the ability to place a file on the system or influence data streams reaching the local application).
## Impact
* **Confidentiality:** High (Attackers can extract arbitrary files from the user's system or accessible network folders).
* **Integrity:** None
* **Availability:** None
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
* **V10.3:** Update to V10.3.3.5.8 (Available via customer support request)
* **V10.4.3:** Update to V10.4.3.0.47 (Available via customer support request)
* **V10.4.4:** Update to V10.4.4.2 (Available via Siemens Support Portal)
* **V10.4.4.1:** Update to V10.4.4.1.21 (Available via Siemens Support Portal)
*Note: For versions V10.4.0, V10.4.1, and V10.4.2, no fixes are currently planned.*
### Workarounds
* Limit the use of configuration/mapping files to those from trusted sources.
* Apply general security hygiene for local systems (least privilege, restricted folder access).
* Follow the specific countermeasures provided in the Siemens "Workarounds and Mitigations" section of the advisory (standard ICS security practices).
## Detection
* **Indicators of Influence:** Unusually formed XML files (containing `ENTITY` tags) in project directories or mapping configurations.
* **Methods:** Monitor file system activity for unauthorized access to sensitive application files by the COMOS process.
## References
* Siemens Security Advisory SSA-701627: hxxps://cert-portal.siemens[.]com/productcert/html/ssa-701627.html
* Siemens ProductCERT Advisories: hxxps://www.siemens[.]com/cert/advisories
* Siemens Support Portal: hxxps://support.sw.siemens[.]com/product/222981661/