Full Report
SiPass integrated is affected by a directory traversal vulnerability in the third-party component DotNetZip. The vulnerability could allow an attacker to execute arbitrary code on the application server, if a specially crafted backup set is used for a restore. Siemens has released a new version for SiPass integrated and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Directory Traversal in Siemens SiPass Integrated (DotNetZip)
## CVE Details
- **CVE ID:** CVE-2024-48510
- **CVSS Score:** 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- **CWE:** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
- **Products:** Siemens SiPass integrated
- **Versions:**
- SiPass integrated V2.90: All versions prior to V2.90.3.19
- SiPass integrated V2.95: All versions prior to V2.95.3.15
- **Configurations:** Systems utilizing the built-in backup/restore functionality.
## Vulnerability Description
The vulnerability exists in the third-party component **DotNetZip** (v1.16.0 and earlier), which SiPass integrated uses for file compression operations. Specifically, the flaw resides in the `ZipEntry.Extract.cs` component. It allows for directory traversal, meaning a ZIP archive can contain file paths that use "dot-dot-slash" (`../`) sequences to write files outside of the intended extraction directory. In the context of SiPass, this can be leveraged to overwrite system files or deploy malicious scripts, leading to arbitrary code execution on the application server.
## Exploitation
- **Status:** PoC availability unknown (vulnerability exists in an end-of-life third-party library).
- **Complexity:** Low
- **Attack Vector:** Network (The vulnerability is triggered during a restore operation, though it requires the attacker to provide a malicious backup file).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Note:** While the CVSS score is high, the Siemens-specific context notes that exploitation requires high privileges (`PR:H`) to initiate a restore and a "changed scope" (`S:C`) because the flaw in the third-party component impacts the hosting application server.
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SiPass integrated V2.90:** Update to V2.90.3.19
- **SiPass integrated V2.95:** Update to V2.95.3.15
### Workarounds
- **Trusted Personnel:** Ensure only authorized and trusted personnel are permitted to initiate a system restore via the Configuration Client.
- **File Integrity:** Do not use backup files from untrusted or unknown sources for restore operations.
- **Network Segmentation:** Protect network access to the affected products with appropriate firewalls and isolation.
## Detection
- **Indicators of compromise:** Monitor for unusual file write activities in system directories (e.g., `C:\Windows\System32` or web root folders) emanating from the SiPass application process during restore windows.
- **Detection methods and tools:** Audit SiPass integrated logs for restore operations initiated by unauthorized users. Use Endpoint Detection and Response (EDR) tools to flag attempts to write files with traversal paths (e.g., filenames containing `..\`).
## References
- **Vendor Advisory:** SSA-992434
- **Siemens Advisory URL:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-992434[.]pdf
- **Update V2.90:** hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109814044/
- **Update V2.95:** hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109827049/