Siemens OpenSSL Affecting Industrial Products

Act NowCVSS 9.8ICS-CERT ICSA-22-167-17Jun 14, 2022

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SINEMA Remote Connect Server contains multiple critical vulnerabilities including command injection in file upload (CVE-2022-32262), authentication bypass and privilege escalation flaws (CVE-2022-32251 through -32261), cross-site scripting (CVE-2022-29034), and multiple library vulnerabilities in curl and libexpat. These flaws affect versions prior to 3.1 and could allow remote attackers to execute commands, bypass access controls, crash the server, or inject malicious content. Siemens has released version 3.1 with fixes for all identified issues.

What this means

What could happen

An attacker could inject commands into file uploads, bypass authentication, escalate privileges, inject malicious scripts into web pages served to users, or crash the server by exploiting XML parsing flaws. This could allow unauthorized remote access to the SINEMA Remote Connect Server and control over connected industrial devices and networks.

Who's at risk

Siemens SINEMA Remote Connect Server administrators and organizations that use this product for remote access management of industrial devices. This primarily affects manufacturing facilities, utilities, and any industrial site that uses Siemens remote connectivity solutions. The server acts as a gateway to critical control systems, making compromise a serious risk.

How it could be exploited

An attacker with network access to the SINEMA Remote Connect Server can exploit command injection in the file upload service to run arbitrary commands with server privileges. Alternatively, they can bypass authentication mechanisms or escalate from a low-privilege user account to gain full server control. Cross-site scripting can be used to steal credentials from users interacting with the web interface.

Prerequisites

Network access to the SINEMA Remote Connect Server web interface (typically port 443)
For some vulnerabilities, ability to upload files to the server
For privilege escalation paths, a valid unprivileged user account on the server

remotely exploitableno authentication required (for some vulnerabilities)low complexityhigh EPSS score (13.3%)affects remote access to critical systemsmultiple vulnerability types including code execution

Exploitability

Likely to be exploited — EPSS score 13.3%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

SINEMA Remote Connect Server<V3.13.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the SINEMA Remote Connect Server to authorized management networks only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEMA Remote Connect Server to version 3.1 or later

Long-term hardening

0/2

HARDENINGIsolate the SINEMA Remote Connect Server behind a firewall and separate from internet-facing business networks

HARDENINGUse a VPN for any required remote access to the SINEMA Remote Connect Server, keeping VPN software updated

CVEs (29)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/42d142ec-5f28-4428-8ddf-ab9ad1231958

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.