Siemens COMOS Web (Update A)

Plan Patch8.8ICS-CERT ICSA-22-013-05Jan 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in COMOS web components allow code injection (CWE-434), cross-site scripting (CWE-80), SQL injection (CWE-89), unrestricted file uploads (CWE-23), and cross-site request forgery (CWE-352). An attacker with valid engineering credentials can exploit these to inject malicious code, upload arbitrary files, execute database queries, and execute unauthorized commands. Affected versions: COMOS v10.2 (all versions with web enabled), v10.3 (prior to 10.3.3.3), and v10.4 (prior to 10.4.1).

What this means

What could happen

An attacker with engineering credentials could inject malicious code, upload dangerous files, manipulate database queries, or trick an engineer into performing unauthorized actions on COMOS, potentially altering process setpoints, stopping batch operations, or modifying equipment configurations.

Who's at risk

This affects water and electric utilities, chemical plants, and other process manufacturers using Siemens COMOS (an engineering and process management platform) for process design, simulation, and control system configuration. Anyone with COMOS v10.2, v10.3, or v10.4 who has enabled the web components feature should evaluate their version and apply patches or mitigations.

How it could be exploited

An attacker with valid engineering workstation credentials accesses the COMOS web interface. They upload a malicious file to exploit the file upload vulnerability (CVE-2021-37194), inject SQL commands in input fields to extract or modify process data (CWE-89), or craft a link that tricks an authenticated engineer into running unintended operations (CSRF). No special network position is required beyond reaching the web port.

Prerequisites

Valid COMOS engineering workstation account or credentials
Network access to the COMOS web interface (typically port 80/443)
Web components must be enabled in the COMOS installation

remotely exploitablerequires valid credentials (engineering workstation account)low complexity attackaffects engineering workstations and process visibilityno patch available for COMOS v10.2partial patch status for v10.3 (only fixed up to 10.3.3.3)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

COMOS V10.3≥ V10.3.3.3 only if web components are used10.3.3.3

COMOS V10.3<V10.3.3.3 only if web components are used10.3.3.3

COMOS V10.4<V10.4.1 only if web components are used10.4.1

COMOS V10.2All versions only if web components are usedNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

COMOS V10.3

WORKAROUNDFor COMOS v10.3 versions prior to 10.3.3.3 affected by CVE-2021-37196 (SQL injection): Make the web server root directory read-only to prevent malicious file storage

COMOS V10.4

WORKAROUNDFor COMOS v10.4.1 and v10.3.3.2.14: Configure the file upload whitelisting feature to allow only safe file types

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMOS V10.3

HOTFIXUpdate COMOS v10.3 to version 10.3.3.3 or later

COMOS V10.4

HOTFIXUpdate COMOS v10.4 to version 10.4.1 or later

Mitigations - no patch available

0/3

COMOS V10.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict COMOS web interface access to engineering workstations only; do not expose to the internet or untrusted networks

HARDENINGImplement network segmentation to isolate COMOS from the business network using a firewall

HARDENINGEnsure least-privilege access: grant COMOS engineering accounts only to personnel who need them, with appropriate role-based permissions

CVEs (5)

CVE-2021-37194 CVE-2021-37195 CVE-2021-37196 CVE-2021-37197 CVE-2021-37198

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15777bc9-d218-4f1d-8b48-c20d922c27f4