Full Report
INTRALOG WMS before V5 is affected by multiple vulnerabilities in the Microsoft .NET implementation as described below. Siemens has released a new version for INTRALOG WMS and recommends to update to the latest version. Please approach your INTRALOG WMS contact to resolve the reported vulnerabilities for your solution. When contacting your Siemens representative, kindly reference the Siemens Security Advisory ID (SSA-901508).
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in INTRALOG WMS (Microsoft .NET Implementation)
## CVE Details
- **CVE ID:** CVE-2024-0056, CVE-2024-20672, CVE-2024-30105, CVE-2024-35264, CVE-2024-38081, CVE-2024-38095, CVE-2024-43483, CVE-2024-43485
- **CVSS Score:** 7.3 - 8.7 (High)
- **CWE:** CWE-319 (Cleartext Transmission), CWE-400 (Uncontrolled Resource Consumption), CWE-416 (Use After Free), CWE-59 (Link Following), CWE-20 (Improper Input Validation), CWE-407 (Inefficient Algorithmic Complexity)
## Affected Systems
- **Products:** Siemens INTRALOG WMS (Warehouse Management Solution)
- **Versions:** All versions prior to V5
- **Configurations:** Systems utilizing vulnerable Microsoft .NET framework components (Data.SqlClient, ASP.NET, etc.) integrated within the INTRALOG WMS environment.
## Vulnerability Description
INTRALOG WMS is affected by multiple inherited vulnerabilities originating from its underlying Microsoft .NET implementation. The flaws range from:
- **Security Feature Bypass:** Specifically in `Microsoft.Data.SqlClient`, allowing potential interception of sensitive data.
- **Denial of Service (DoS):** Multiple vectors including improper input validation, resource consumption, and inefficient algorithmic complexity in .NET and Visual Studio components.
- **Remote Code Execution (RCE):** A "Use After Free" condition (CVE-2024-35264) that could allow an attacker to execute arbitrary code.
- **Elevation of Privilege (EoP):** Improper link resolution (CVE-2024-38081) allowing local users to gain higher permissions.
## Exploitation
- **Status:** No specific mention of active exploitation in the wild for this product; however, these are known vulnerabilities in widely used .NET components.
- **Complexity:** Ranges from Low to High (CVE-2024-0056 and CVE-2024-35264 require High complexity/specific conditions).
- **Attack Vector:** Primarily Network (Remote), with the exception of CVE-2024-38081, which requires Local access.
## Impact
- **Confidentiality:** High (Due to RCE and Security Feature Bypass)
- **Integrity:** High (Due to RCE and Elevated Privileges)
- **Availability:** High (Due to multiple DoS vulnerabilities)
## Remediation
### Patches
- **Update to INTRALOG WMS V5:** Siemens recommends upgrading to the latest version. Users should contact their Siemens representative referencing **SSA-901508** to facilitate the update.
### Workarounds
- **Network Isolation:** Protect network access to devices with appropriate firewalls and segmentation.
- **Operational Guidelines:** Follow Siemens’ operational guidelines for Industrial Security to harden the IT environment.
## Detection
- **Indicators of Compromise:** Unusual resource spikes (CPU/RAM) indicating DoS attempts; unauthorized file system changes; unexpected network traffic on SQL ports.
- **Detection methods:** Vulnerability scanning of the host environment for outdated .NET Framework/Core binaries; monitoring system logs for crashes related to .NET runtime.
## References
- **Siemens Security Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-901508.html
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories