Siemens COMOS
Act Now10ICS-CERT ICSA-23-047-10Feb 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
COMOS is affected by a memory corruption vulnerability in the cache validation service that could allow an attacker to execute arbitrary code or cause denial of service. The vulnerability exists in multiple versions of COMOS, with Siemens releasing patches for most versions except COMOS V10.2, for which no fix is planned.
What this means
What could happen
An attacker with network access to COMOS could run arbitrary commands on the system, potentially modifying process data, control setpoints, or stopping critical operations. Alternatively, the attacker could cause the COMOS service to crash, disrupting engineering work and process monitoring.
Who's at risk
This affects any organization running Siemens COMOS for process engineering and design. COMOS is used by chemical plants, refineries, power generation facilities, and other process industries to manage plant design and configuration. All organizations running COMOS V10.2 through V10.4.2.0 should assess their environment.
How it could be exploited
An attacker on the network sends a crafted request to the COMOS cache validation service. The memory corruption flaw allows the request to overwrite memory and execute arbitrary code, or corrupt the service causing it to fail. No authentication is required and the attack can be performed remotely over the network.
Prerequisites
- Network access to COMOS cache validation service port (typically network-reachable if not isolated)
- No credentials or authentication required
- COMOS service must be running
remotely exploitableno authentication requiredlow complexitymemory corruption vulnerabilityhigh CVSS score (10.0)no fix available for V10.2
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (8)
7 with fix1 EOL
ProductAffected VersionsFix Status
COMOS V10.2All versionsNo fix (EOL)
COMOS V10.3.3.1<V10.3.3.1.4510.3.3.1.45
COMOS V10.3.3.2<V10.3.3.2.3310.3.3.2.33
COMOS V10.3.3.3<V10.3.3.3.910.3.3.3.9
COMOS V10.3.3.4<V10.3.3.4.610.3.3.4.6
COMOS V10.4.0.0<V10.4.0.0.3110.4.0.0.31
COMOS V10.4.1.0<V10.4.1.0.3210.4.1.0.32
COMOS V10.4.2.0<V10.4.2.0.2510.4.2.0.25
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDEnable Structured Exception Handling Overwrite Protection (SEHOP) in Windows on systems running COMOS to reduce risk of code execution (note: does not prevent denial of service attacks)
HARDENINGRestrict network access to COMOS systems using firewall rules; ensure COMOS is not directly accessible from the Internet or untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate COMOS to the latest patched version (10.3.3.1.45 or later for V10.3.3.1, 10.3.3.2.33 or later for V10.3.3.2, 10.3.3.3.9 or later for V10.3.3.3, 10.3.3.4.6 or later for V10.3.3.4, 10.4.0.0.31 or later for V10.4.0.0, 10.4.1.0.32 or later for V10.4.1.0, or 10.4.2.0.25 or later for V10.4.2.0)
Mitigations - no patch available
0/2COMOS V10.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate COMOS systems and cache validation service from business networks; place behind firewall and implement network segmentation
HARDENINGIf remote access to COMOS is required, use VPN or other secure tunnel; ensure VPN is kept up to date
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f38d54c9-346c-4713-b6e2-50277993224b