Siemens SINUMERIK Systems
Monitor5.5ICS-CERT ICSA-24-256-04Sep 10, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SINUMERIK 828D V4, SINUMERIK 840D sl V4, and SINUMERIK ONE systems are affected by an information disclosure vulnerability in the Create MyConfig (CMC) provisioning tool. When CMC is executed on the NCU (Numerical Control Unit) or IPC (Industrial PC), the passwords used during configuration are logged in plaintext to the uptrace.out trace file. A local authenticated user with low privileges can read this file and obtain plaintext passwords, potentially allowing privilege escalation or impersonation of higher-privileged users. Siemens has released firmware updates for all affected product lines.
What this means
What could happen
A local user with low privileges can read passwords stored in trace log files on SINUMERIK machines that have been provisioned with Create MyConfig, allowing them to escalate privileges and impersonate higher-privileged users. This could allow an attacker to reconfigure machine parameters, modify tool offsets, or shut down production equipment.
Who's at risk
Machine tool builders and manufacturers using Siemens SINUMERIK 828D, 840D sl, or SINUMERIK ONE systems with Create MyConfig configuration tools should review this issue. Any organization operating these CNC machines (turning centers, milling machines, multi-axis equipment) that has used the CMC provisioning package is affected. Risk is highest in environments where the same machine is accessed by multiple operators or contractors at different privilege levels.
How it could be exploited
An attacker with local access to the SINUMERIK NCU (Numerical Control Unit) or IPC (Industrial PC) can read the uptrace.out log file located in the system's trace directory, extract plaintext passwords from the Create MyConfig execution logs, and use those credentials to gain higher-privilege access to the system.
Prerequisites
- Local access to the SINUMERIK NCU or IPC machine
- Low-privilege user account on the machine
- The machine must have been provisioned using Create MyConfig (CMC) package
- The uptrace.out log file must not have been manually deleted
Local access only (not remotely exploitable)Requires low-privilege credentials already present on machineAffects machines configured with Create MyConfig—not all SINUMERIK deploymentsPassword exposure in unencrypted log files can lead to privilege escalation
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SINUMERIK 828D V4<V4.95 SP34.95 SP3
SINUMERIK 840D sl V4≤ < V4.95 SP3 in connection with using Create MyConfig CMC V4.8 SP1 HF64.95 SP3
SINUMERIK ONE≤ < V6.23 in connection with using Create MyConfig CMC V6.66.23
SINUMERIK ONE≤ < V6.15 SP4 in connection with using Create MyConfig CMC V6.66.15 SP4
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDManually delete the uptrace.out and uptrace.out.bak files after each Create MyConfig execution on NCU (/card/user/sinumerik/hmi/log/sltrc/uptrace.out) or IPC (C:\ProgramData\Siemens\MotionControl\user\sinumerik\hmi\log\sltrc\uptrace.out)
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SINUMERIK 828D V4
HOTFIXUpdate SINUMERIK 828D V4 to V4.95 SP3 or later
SINUMERIK 840D sl V4
HOTFIXUpdate SINUMERIK 840D sl V4 to V4.95 SP3 or later
SINUMERIK ONE
HOTFIXUpdate SINUMERIK ONE (V6.x versions) to V6.23 or later (or V6.15 SP4 if on 6.15 branch)
Long-term hardening
0/2HARDENINGDisable trace logging for Create MyConfig operations by replacing trace configuration to switch off trace for future executions
HARDENINGRestrict physical and logical access to SINUMERIK NCU and IPC machines; ensure they are not exposed to untrusted networks and are located behind firewalls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e822ede8-6845-4506-8cdc-87dfcec877a9