Siemens Mobility CoreShield OWG Software

Plan PatchCVSS 7.8ICS-CERT ICSA-22-258-01Sep 13, 2022

Siemens

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The default installation of CoreShield One-Way Gateway (OWG) software on Windows sets insecure file permissions on installed executables. A local attacker with user-level credentials can modify these files and escalate privileges to local administrator, gaining full control of the system.

What this means

What could happen

A local attacker with user access to the CoreShield OWG machine can escalate privileges to administrator and take full control of the gateway system, potentially disrupting the one-way data flow security that protects your operational network from the corporate network.

Who's at risk

Water authorities, municipal utilities, and critical infrastructure operators using Siemens CoreShield One-Way Gateways on Windows servers to isolate operational technology networks from corporate networks. This affects the security appliance that enforces one-directional data flow.

How it could be exploited

An attacker with local user-level access to the Windows machine running CoreShield OWG can overwrite the insecure executable files with malicious code. When a privileged process runs the modified executable, the attacker's code executes with administrator privileges, giving them full system control.

Prerequisites

Local access to the Windows machine running CoreShield OWG software
User-level credentials (non-admin login)
Write access to the CoreShield installation directory (default configuration)

Local privilege escalation possibleDefault insecure configurationAffects network security boundary deviceLow EPSS score but practical exploitation path

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

CoreShield One-Way Gateway (OWG) Software<V2.22.2

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRemove modify and write permissions from CoreShield OWG installed executables for local users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CoreShield OWG software to version 2.2 or later

Long-term hardening

0/2

HARDENINGInstall CoreShield OWG on a dedicated, isolated machine with restricted local user access

HARDENINGMigrate CoreShield OWG to Linux operating system if feasible

CVEs (1)

CVE-2022-38466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d6ba826e-0d56-4a5d-8565-fa19c7d7a92d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.