Siemens SIMATIC RTLS Locating Manager

Act NowCVSS 10ICS-CERT ICSA-24-137-07May 14, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC RTLS Locating Manager versions prior to 3.0.1.1 contain multiple input validation, error handling, and resource management weaknesses (CWE-20, CWE-754, CWE-400, CWE-834, CWE-770) that allow unauthenticated remote code execution. The vulnerabilities also include insufficient encryption (CWE-311, CWE-319), insecure deserialization (CWE-494), weak credential storage (CWE-321), and improper access controls (CWE-732). An attacker on the network can exploit these flaws to run arbitrary code on the Windows Server hosting the Locating Manager, compromising the confidentiality, integrity, and availability of the real-time location tracking system.

What this means

What could happen

An attacker with network access to the RTLS Locating Manager could execute arbitrary commands on the Windows Server hosting the system, potentially disrupting real-time location tracking for assets in your facility and compromising the integrity of location data used by operational processes.

Who's at risk

This affects any organization using Siemens SIMATIC RTLS (Real-Time Locating System) Locating Manager for asset tracking in manufacturing facilities, warehouses, or logistics operations. Any facility relying on real-time location data for process automation or safety-critical operations should prioritize this update.

How it could be exploited

An attacker on the network can send specially crafted requests to the RTLS Locating Manager service without authentication, exploiting input validation weaknesses and resource handling flaws to achieve remote code execution on the Windows Server hosting the application.

Prerequisites

Network access to the Windows Server hosting RTLS Locating Manager
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (26.8%)affects locating and tracking systems

Exploitability

Likely to be exploited — EPSS score 26.3%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

SIMATIC RTLS Locating Manager (6GT2780-0DA00)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-0DA10)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-0DA20)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-0DA30)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-1EA10)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-1EA20)<V3.0.1.13.0.1.1

SIMATIC RTLS Locating Manager (6GT2780-1EA30)<V3.0.1.13.0.1.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the Windows Server running RTLS Locating Manager with a firewall; ensure no ports are exposed to untrusted networks

HARDENINGInstall RTLS Locating Manager components on a single host where possible and grant access only to trusted personnel

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC RTLS Locating Manager to version 3.0.1.1 or later using Siemens Online Software Delivery (OSD)

Long-term hardening

0/2

HARDENINGApply Windows Server security hardening according to corporate policy or current hardening guidelines

HARDENINGSegment the RTLS Locating Manager network from business networks and untrusted external networks

CVEs (21)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a870b046-fe81-4412-b4d6-9b85fa5de87b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.