Siemens COMOS Web (Update A)
Plan PatchCVSS 8.8ICS-CERT ICSA-22-013-05Jan 11, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in COMOS web components allow code injection (CWE-434), cross-site scripting (CWE-80), SQL injection (CWE-89), unrestricted file uploads (CWE-23), and cross-site request forgery (CWE-352). An attacker with valid engineering credentials can exploit these to inject malicious code, upload arbitrary files, execute database queries, and execute unauthorized commands. Affected versions: COMOS v10.2 (all versions with web enabled), v10.3 (prior to 10.3.3.3), and v10.4 (prior to 10.4.1).
What this means
What could happen
An attacker with engineering credentials could inject malicious code, upload dangerous files, manipulate database queries, or trick an engineer into performing unauthorized actions on COMOS, potentially altering process setpoints, stopping batch operations, or modifying equipment configurations.
Who's at risk
This affects water and electric utilities, chemical plants, and other process manufacturers using Siemens COMOS (an engineering and process management platform) for process design, simulation, and control system configuration. Anyone with COMOS v10.2, v10.3, or v10.4 who has enabled the web components feature should evaluate their version and apply patches or mitigations.
How it could be exploited
An attacker with valid engineering workstation credentials accesses the COMOS web interface. They upload a malicious file to exploit the file upload vulnerability (CVE-2021-37194), inject SQL commands in input fields to extract or modify process data (CWE-89), or craft a link that tricks an authenticated engineer into running unintended operations (CSRF). No special network position is required beyond reaching the web port.
Prerequisites
- Valid COMOS engineering workstation account or credentials
- Network access to the COMOS web interface (typically port 80/443)
- Web components must be enabled in the COMOS installation
remotely exploitablerequires valid credentials (engineering workstation account)low complexity attackaffects engineering workstations and process visibilityno patch available for COMOS v10.2partial patch status for v10.3 (only fixed up to 10.3.3.3)
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
COMOS V10.3≥ V10.3.3.3 only if web components are used10.3.3.3
COMOS V10.3<V10.3.3.3 only if web components are used10.3.3.3
COMOS V10.4<V10.4.1 only if web components are used10.4.1
COMOS V10.2All versions only if web components are usedNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2COMOS V10.3
WORKAROUNDFor COMOS v10.3 versions prior to 10.3.3.3 affected by CVE-2021-37196 (SQL injection): Make the web server root directory read-only to prevent malicious file storage
COMOS V10.4
WORKAROUNDFor COMOS v10.4.1 and v10.3.3.2.14: Configure the file upload whitelisting feature to allow only safe file types
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
COMOS V10.3
HOTFIXUpdate COMOS v10.3 to version 10.3.3.3 or later
COMOS V10.4
HOTFIXUpdate COMOS v10.4 to version 10.4.1 or later
Mitigations - no patch available
0/3COMOS V10.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict COMOS web interface access to engineering workstations only; do not expose to the internet or untrusted networks
HARDENINGImplement network segmentation to isolate COMOS from the business network using a firewall
HARDENINGEnsure least-privilege access: grant COMOS engineering accounts only to personnel who need them, with appropriate role-based permissions
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/15777bc9-d218-4f1d-8b48-c20d922c27f4Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.