Full Report
A Socket.IO vulnerability affects multiple Siemens industrial products. This vulnerability consists of a specially crafted Socket.IO packet that triggers an uncaught exception on the Socket.IO server killing the Node.js process allowing a remote attacker to cause Denial-of-Service condition in the affected products. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Socket.IO Denial-of-Service in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2024-38355
- **CVSS Score:**
- CVSS v3.1: 7.3 (High)
- CVSS v4.0: 6.9 (Medium)
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **AI Model Deployer:** Versions < V1.1
- **Data Flow Monitoring Industrial Edge Device UI (DFM IED UI):** Versions < V0.0.6
- **LiveTwin Industrial Edge App:** Versions < V2.4
- **SIMATIC PCS neo:** V4.1 (Versions < V4.1 Update 2) and V5.0 (Versions < V5.0 Update 1)
- **SIMATIC WinCC Runtime Professional:**
- V17 (All versions)
- V18 (Versions < V18 Update 5)
- V19 (Versions < V19 Update 3)
- **SIMATIC WinCC V7/V8:**
- V7.4 (All versions with WebRH installed)
- V7.5 (Versions < V7.5 SP2 Update 18)
- V8.0 (Versions < V8.0 Update 5)
- **TIA Administrator:** Versions < V3.0.3
## Vulnerability Description
A flaw exists in the Socket.IO open-source framework where a specially crafted packet can trigger an uncaught exception on the server. Because the Socket.IO server runs on Node.js, this uncaught exception causes the entire Node.js process to crash. In the context of Siemens industrial products, this results in a Denial-of-Service (DoS) condition of the affected management or monitoring interface.
## Exploitation
- **Status:** PoC available (Fixed in open-source Socket.IO in May 2023; fix is public). No specific mention of active "in-the-wild" exploitation in the advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remotely exploitable)
## Impact
- **Confidentiality:** Low
- **Integrity:** Low
- **Availability:** Low (Per CVSS 4.0) to High (Per DoS description/CVSS 3.1)
*Note: While the CVSS vector indicates Low impact across CID, the technical description confirms the process is killed, leading to a complete loss of availability for the affected service.*
## Remediation
### Patches
Siemens recommends upgrading to the following versions or later:
- **AI Model Deployer:** V1.1
- **DFM IED UI:** V0.0.6
- **LiveTwin Industrial Edge:** V2.4
- **SIMATIC PCS neo:** V4.1 Update 2 / V5.0 Update 1
- **SIMATIC WinCC Runtime Professional:** V18 Update 5 / V19 Update 3
- **SIMATIC WinCC:** V7.5 SP2 Update 18 / V8.0 Update 5
- **TIA Administrator:** V3.0.3
### Workarounds
- **Manual Listener:** For components where users can modify the underlying code, attach a listener for the "error" event to catch exceptions and prevent process crashes.
- **Access Control:** Restrict network access to affected services to trusted users and systems only.
- **Planned Obsolescence:** Note that no fixes are planned for WinCC Runtime Professional V17 or WinCC V7.4; migration to supported versions is advised.
## Detection
- **Indicators of Compromise:** Unexpected crashing or restarting of Node.js processes associated with Siemens web interfaces (e.g., TIA Administrator, WebUX).
- **Detection methods:** Monitor system logs for "Uncaught Exception" errors related to the Socket.IO library.
## References
- **Siemens Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-773256.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-773256.pdf)
- **Siemens ProductCERT:** [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)
- **Socket.IO Fix Commit:** [https://github.com/socketio/socket.io/commit/15af22fc22](https://github.com/socketio/socket.io/commit/15af22fc22)