Full Report
Users of Industrial Edge Devices are advised to consult the respective Security Advisories for their devices (for Siemens Industrial Edge devices see Additional Information). Industrial Edge Device Kit contains a weak authentication vulnerability that could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Industrial Edge Device Builders integrate Industrial Edge Device Kit into their offerings within the open Industrial Edge ecosystem. See further details about affected Industrial Edge Devices in the Additional Information section. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Weak Authentication in Industrial Edge Device Kit
## CVE Details
- CVE ID: CVE-2024-54092
- CVSS Score: 9.8 (CVSS v3.1) / 9.3 (CVSS v4.0) (Critical)
- CWE: CWE-1390: Weak Authentication
## Affected Systems
- Products: Industrial Edge Device Kit ($\text{arm64}$ and $\text{x86-64}$)
- Versions:
- $\text{arm64/x86-64}$ V1.17, V1.18, V1.19 (All versions affected)
- $\text{arm64/x86-64}$ V1.20 (All versions $< \text{V1.20.2-1}$)
- $\text{arm64/x86-64}$ V1.21 (All versions $< \text{V1.21.1-1}$)
- Configurations: Exploitation specifically targets systems where **identity federation is used** (or has been previously used).
## Vulnerability Description
Affected devices fail to properly enforce user authentication on specific API endpoints when identity federation is utilized. This flaw allows an unauthenticated remote attacker to circumvent authentication controls and successfully impersonate a legitimate user, provided the attacker already knows the identity of a valid user.
## Exploitation
- Status: Details about exploitation in the wild are not specified, but the high CVSS score suggests high risk.
- Complexity: Low ($\text{AC:L}$)
- Attack Vector: Network ($\text{AV:N}$)
## Impact
Based on CVSS v3.1 vector ($\text{PR:N/UI:N/S:U/C:H/I:H/A:H}$):
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
Siemens has released patches for specific version lines:
- **Industrial Edge Device Kit V1.20 ($\text{arm64/x86-64}$):** Update to $\text{V1.20.2-1}$ or later.
- **Industrial Edge Device Kit V1.21 ($\text{arm64/x86-64}$):** Update to $\text{V1.21.1-1}$ or later.
### Workarounds
For versions where fixes are not planned or not yet available (V1.17, V1.18, V1.19):
- Users must consult the vendor's advisories for specific recommended countermeasures (Section "Workarounds and Mitigations" in the full advisory).
- Users are generally advised to update to newer, patched version lines (e.g., update V1.17 to a patched version line).
## Detection
- The advisory does not explicitly list Indicators of Compromise (IOCs).
- Detection should focus on monitoring network traffic to API endpoints leveraged by the Industrial Edge Device Kit for signs of unauthenticated access attempts utilizing known user identities.
## References
- Vendor Advisory: SSA-819629 ($\text{https://cert-portal.siemens.com/productcert/html/ssa-819629.html}$)
- Downstream Siemens Devices Advisory: ($\text{https://cert-portal.siemens.com/productcert/html/ssa-634640.html}$)