Siemens COMOS

Plan Patch7.8ICS-CERT ICSA-24-228-08Aug 13, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

COMOS before V10.5 is affected by two local code execution vulnerabilities (CWE-787 buffer overflow, CWE-416 use-after-free) in the integrated Open Design Alliance Drawings SDK. These vulnerabilities allow local code execution through manipulation of files imported into the product.

What this means

What could happen

An attacker with local access to a COMOS workstation could execute arbitrary code with the privileges of the user running the application, potentially allowing them to alter process designs, steal engineering data, or compromise downstream industrial operations that depend on these designs.

Who's at risk

Engineering teams and plant personnel who use Siemens COMOS for process design, automation engineering, and documentation. This affects organizations across chemical processing, power generation, water treatment, and other industrial sectors that rely on COMOS for system design and configuration.

How it could be exploited

An attacker must first gain local access to a machine running COMOS. They then craft a malicious file (drawing or related format) that exploits the buffer overflow or use-after-free flaw in the Open Design Alliance SDK. When a user imports this file into COMOS through the UI, the attacker's code executes with the user's privileges.

Prerequisites

Local access to a COMOS workstation
User interaction required: victim must import a malicious file into COMOS
COMOS version before 10.5

Local access required (reduces immediate risk)User interaction required (import malicious file)No authentication bypassAffects engineering workstations, not production equipment directlyLow EPSS score (0.1%)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

COMOS<V10.510.5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict file imports to only trusted sources and verify files are transmitted over secure channels (e.g., signed files, known vendor repositories)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate COMOS to version 10.5 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate engineering workstations from the Internet and business networks

HARDENINGRestrict local access to COMOS workstations through physical security measures and access controls

CVEs (2)

CVE-2023-5180 CVE-2023-26495

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b9a843a8-e3b1-4e59-a034-d91c6c600f79