Full Report
Palo Alto Networks has published [1] information on vulnerabilities in PAN-OS. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks’ upstream security notifications. [1] https://security.paloaltonetworks.com/?version=10.2.2&product=PAN-OS
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808
## CVE Details
The following primary CVEs are associated with this advisory:
- **CVE-2022-0028**: CVSS 8.6 (High) | CWE-406 (Network Amplification)
- **CVE-2024-5911**: CVSS 7.2 (High) | CWE-434 (Unrestricted File Upload)
- **CVE-2023-38046**: CVSS 5.5 (Medium) | CWE-610 (External Resource Reference)
- **CVE-2024-5917**: CVSS 5.3 (Medium) | CWE-918 (SSRF)
- **CVE-2023-0005**: CVSS 4.1 (Medium)
- **Additional IDs**: CVE-2023-0008, CVE-2023-6790, CVE-2023-6791
## Affected Systems
- **Products**: RUGGEDCOM APE1808 (Application Hosting Platform)
- **Versions**: All versions hosting Palo Alto Networks Virtual NGFW (Next-Generation Firewall) before V11.0.1.
- **Configurations**:
- For CVE-2022-0028: Requires a URL filtering profile with blocked categories assigned to a source zone with an external-facing interface.
- For CVE-2024-5911/CVE-2023-38046: Requires administrative access/privileges.
## Vulnerability Description
This advisory covers multiple security flaws within the PAN-OS software running on Siemens RUGGEDCOM hardware:
- **Reflected DoS (CVE-2022-0028)**: A misconfiguration in URL filtering allows the firewall to be used as a reflector/amplifier for TCP denial-of-service attacks against third parties.
- **Arbitrary File Upload (CVE-2024-5911)**: Allows a read-write administrator to upload files that can crash the Panorama management interface, potentially forcing it into maintenance mode.
- **SSRF (CVE-2024-5917)**: An unauthenticated attacker can use the web interface as a proxy to scan or view internal network resources.
- **Information Disclosure (CVE-2023-0005/CVE-38046)**: Flaws allowing authenticated users to extract plaintext secrets, API keys, or read local system files.
## Exploitation
- **Status**: PoC available for several identified CVEs (indicated by "E:P" in CVSS vectors).
- **Complexity**: Low to High (varies by CVE; e.g., High for CVE-2023-0005, Low for CVE-2022-0028).
- **Attack Vector**: Network (most vulnerabilities) and Local (CVE-2023-0005).
## Impact
- **Confidentiality**: High (Exposure of API keys and internal network resources).
- **Integrity**: Low to Moderate (Ability to disrupt system processes).
- **Availability**: High (DoS amplification and system crashes/maintenance mode).
## Remediation
### Patches
- **Upgrade to Palo Alto Networks Virtual NGFW V11.0.1 or later.**
- Customers should contact **Siemens Customer Support** to receive specific patch and update instructions for the RUGGEDCOM APE1808 platform.
### Workarounds
- Implement General Security Recommendations:
- Protect network access to devices with firewalls and VLANs.
- Configure the environment according to Siemens' operational guidelines for Industrial Security.
- (CVE-2022-0028): Audit URL filtering profiles to ensure they are not applied to unintended external-facing source zones.
## Detection
- **Indicators of Compromise**: Monitor for unexpected high volumes of outbound TCP traffic (RDoS), unauthorized administrative file uploads, or unusual internal requests originating from the management interface (SSRF).
- **Detection methods**: Review PAN-OS system logs and audit trails for configuration changes or unauthorized file access.
## References
- Siemens Security Advisory: hxxps://cert-portal.siemens[.]com/productcert/html/ssa-822518.html
- Palo Alto Networks Security Advisories: hxxps://security.paloaltonetworks[.]com/?version=10.2.2&product=PAN-OS
- Siemens Industrial Security Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security