Siemens COMOS

Act Now9.8ICS-CERT ICSA-23-320-09Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

COMOS is affected by multiple vulnerabilities (CWE-611, CWE-22, CWE-787, CWE-125, CWE-190, CWE-416, CWE-122, CWE-319, CWE-120, CWE-284) that could allow arbitrary code execution, denial of service, data theft, or access control violations. Specific issues include: CVE-2023-43503 requiring database update to version 25; CVE-2023-43504 containing ptmcast.exe in older versions; CVE-2023-43505 and CVE-2023-46601 related to file access and data import controls.

What this means

What could happen

An attacker could execute arbitrary code on COMOS systems, steal process data or configuration information, disrupt plant operations through denial of service, or bypass access controls to modify engineering data and setpoints. The high CVSS (9.8) reflects the combination of remote exploitability and severe impact potential.

Who's at risk

Organizations running Siemens COMOS for engineering, process control design, and plant data management should prioritize this issue. Affected sites include chemical plants, water utilities, power generation facilities, and any industrial facility using COMOS for process engineering and configuration management. Both COMOS V10.4.4 and earlier versions and all other versions have vulnerabilities present.

How it could be exploited

An attacker with network access to a COMOS server or workstation could exploit multiple code execution vulnerabilities (CWE-611 XML External Entity, CWE-787 buffer overflow, CWE-22 path traversal) by sending crafted requests or malicious files. For some vulnerabilities, no authentication is required. Successful exploitation could allow arbitrary code execution on the host system running COMOS.

Prerequisites

Network access to COMOS server or workstation
For some vulnerabilities, no authentication required
Ability to transmit malicious files or requests to the COMOS system

remotely exploitableno authentication required for some CVEslow complexity attackaffects engineering and control system datamultiple code execution vulnerabilitieshigh CVSS score (9.8)some products have no fix available

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

COMOS<V10.4.410.4.4

COMOSAll versions10.4.4

Remediation & Mitigation

0/7

Do now

0/2

COMOS

WORKAROUNDFor CVE-2023-43504, delete ptmcast.exe from the bin folder of the COMOS installation directory if running pre-10.4.4 versions

HARDENINGEnsure all files imported into COMOS originate from trusted sources and are transmitted over secure channels

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMOS

HOTFIXUpdate COMOS to version 10.4.4 or later

HOTFIXFor CVE-2023-43503, update the COMOS database to version 25 following the user manual procedure (note: older COMOS versions cannot use the updated database)

Long-term hardening

0/3

COMOS

HARDENINGFor CVE-2023-43505 and CVE-2023-46601, deploy COMOS behind an application server (such as Citrix) to add access control layers and restrict direct access to the file share and database

HARDENINGIsolate COMOS servers and workstations from internet-facing networks using firewalls and network segmentation

HARDENINGIf remote access to COMOS is required, use a VPN or similar secure tunnel method instead of direct network exposure

CVEs (16)

CVE-2020-25020 CVE-2020-35460 CVE-2022-23095 CVE-2022-28807 CVE-2022-28808 CVE-2022-28809 CVE-2023-0933 CVE-2023-1530 CVE-2023-2931 CVE-2023-2932 CVE-2023-22669 CVE-2023-22670 CVE-2023-43503 CVE-2023-43504 CVE-2023-43505 CVE-2023-46601

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf97b628-be29-4ddf-b7ea-bc78b9154019