OTPulse
FeedAboutContact

Siemens Mobility CoreShield OWG Software

Plan Patch7.8ICS-CERT ICSA-22-258-01Sep 13, 2022
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The default installation of CoreShield One-Way Gateway (OWG) software on Windows sets insecure file permissions on installed executables. A local attacker with user-level credentials can modify these files and escalate privileges to local administrator, gaining full control of the system.

What this means
What could happen
A local attacker with user access to the CoreShield OWG machine can escalate privileges to administrator and take full control of the gateway system, potentially disrupting the one-way data flow security that protects your operational network from the corporate network.
Who's at risk
Water authorities, municipal utilities, and critical infrastructure operators using Siemens CoreShield One-Way Gateways on Windows servers to isolate operational technology networks from corporate networks. This affects the security appliance that enforces one-directional data flow.
How it could be exploited
An attacker with local user-level access to the Windows machine running CoreShield OWG can overwrite the insecure executable files with malicious code. When a privileged process runs the modified executable, the attacker's code executes with administrator privileges, giving them full system control.
Prerequisites
  • Local access to the Windows machine running CoreShield OWG software
  • User-level credentials (non-admin login)
  • Write access to the CoreShield installation directory (default configuration)
Local privilege escalation possibleDefault insecure configurationAffects network security boundary deviceLow EPSS score but practical exploitation path
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
CoreShield One-Way Gateway (OWG) Software<V2.22.2
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRemove modify and write permissions from CoreShield OWG installed executables for local users
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CoreShield OWG software to version 2.2 or later
Long-term hardening
0/2
HARDENINGInstall CoreShield OWG on a dedicated, isolated machine with restricted local user access
HARDENINGMigrate CoreShield OWG to Linux operating system if feasible
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d6ba826e-0d56-4a5d-8565-fa19c7d7a92d