Siemens User Management Component (UMC)

Plan PatchCVSS 9.8ICS-CERT ICSA-24-256-03Sep 10, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens User Management Component (UMC) contains a heap-based buffer overflow vulnerability that allows an unauthenticated remote attacker to achieve arbitrary code execution. UMC is a shared component used across TIA Portal (versions 16–19), SIMATIC PCS neo, SINEMA Remote Connect, SINEC NMS, Opcenter Quality, and Opcenter RDnL. The vulnerability is triggered by sending a specially crafted request to UMC network ports 4002 or 4004. Siemens has released patches for most products; however, TIA Portal V16, SIMATIC PCS neo V4.0 and V5.0, and SIMATIC Information Server 2022/2024 have no fixes planned.

What this means

What could happen

A remote attacker with no credentials can run arbitrary code on systems running the User Management Component, potentially allowing them to alter PLC configurations, change setpoints, or disrupt production systems across your engineering workstations and control servers.

Who's at risk

This affects organizations using Siemens engineering and control software: TIA Portal (versions 16–19, the primary automation engineering environment), SIMATIC PCS neo (process control systems for utilities and manufacturing), SINEMA Remote Connect (remote engineering access), SINEC NMS (network management), and Opcenter Quality/RDnL (manufacturing operations systems). Engineering teams, SCADA operators, and production control centers are at risk.

How it could be exploited

An attacker sends a specially crafted request to ports 4002 or 4004 (UMC network ports) to trigger a heap overflow in the User Management Component. This allows arbitrary code execution on any machine running UMC. The attacker needs only network reachability to these ports—no login or special configuration required.

Prerequisites

Network access to ports 4002 or 4004 on machines running UMC
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical engineering platformsaffects control system softwareaffects safety and process control

Exploitability

Some exploitation risk — EPSS score 3.3%

Affected products (11)

9 with fix2 EOL

ProductAffected VersionsFix Status

Totally Integrated Automation Portal (TIA Portal) V16All versionsNo fix (EOL)

Opcenter Quality< 24062406

Opcenter RDnL< 24102410

SIMATIC PCS neo V4.1<V4.1 Update 24.1 Update 2

SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1

SINEMA Remote Connect Client<V3.2 SP33.2 SP3

Totally Integrated Automation Portal (TIA Portal) V17<V17 Update 817 Update 8

Totally Integrated Automation Portal (TIA Portal) V18<V18 Update 518 Update 5

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDRestrict firewall access to ports 4002 and 4004 to only accept connections from IP addresses of machines that are part of your UMC network

WORKAROUNDIf RT server machines are not used in your environment, block port 4004 completely at the firewall

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

Totally Integrated Automation Portal (TIA Portal) V16

HOTFIXUpdate TIA Portal V17 to Update 8 or later

HOTFIXUpdate TIA Portal V18 to include UMC V2.13.1 as delivered via TIA Portal V17 Update 8

HOTFIXUpdate TIA Portal V19 to Update 3 or later

SIMATIC PCS neo V4.1

HOTFIXUpdate SIMATIC PCS neo V4.1 to Update 2 or later

SINEMA Remote Connect Client

HOTFIXUpdate SINEMA Remote Connect Client to V3.2 SP3 or later

SINEC NMS

HOTFIXUpdate SINEC NMS UMC component to V2.11.6 or later

CVEs (1)

CVE-2024-33698

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc254e36-ddcf-4eb2-a7f7-20e17ab5dcdb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.