Siemens SINUMERIK Systems

MonitorCVSS 5.5ICS-CERT ICSA-24-256-04Sep 10, 2024

Siemens

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SINUMERIK systems configured with Create MyConfig (CMC) packages contain an information disclosure vulnerability. When CMC packages are executed on an NCU or IPC, passwords entered during configuration are stored in plaintext in the uptrace.out trace log file. A local user with low privileges can read this log file and recover passwords to impersonate higher-privileged users, potentially gaining access to modify machine programs or control parameters.

What this means

What could happen

A local user with low privileges can read passwords from SINUMERIK log files and use them to gain unauthorized access to the system as a higher-privileged user, potentially allowing changes to machining programs or operational parameters.

Who's at risk

Manufacturing and machining operations using Siemens SINUMERIK CNC (Computer Numerical Control) systems, including SINUMERIK 828D, 840D sl, and SINUMERIK ONE controllers. Any facility that has provisioned these systems with Create MyConfig packages is affected.

How it could be exploited

An attacker with local access to the SINUMERIK system (NCU or IPC running Create MyConfig) can read the uptrace.out log file in the standard system directory to recover passwords that were entered during package execution. These passwords can then be used to authenticate as a higher-privileged user, such as an engineering or administrative account.

Prerequisites

Local access to the SINUMERIK NCU or IPC
Low-privilege user account on the affected system
Create MyConfig (CMC) package must have been executed on the system
uptrace.out log file must still exist on the system

low authentication complexity requiredlocal access only (not remotely exploitable)sensitive information exposure (password logging)affects production control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SINUMERIK 828D V4<V4.95 SP34.95 SP3

SINUMERIK 840D sl V4≤ < V4.95 SP3 in connection with using Create MyConfig CMC V4.8 SP1 HF64.95 SP3

SINUMERIK ONE≤ < V6.23 in connection with using Create MyConfig CMC V6.66.23

SINUMERIK ONE≤ < V6.15 SP4 in connection with using Create MyConfig CMC V6.66.15 SP4

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDImmediately delete the uptrace.out and uptrace.out.bak files from the system log directories (on NCU: /card/user/sinumerik/hmi/log/sltrc/; on IPC: C:\ProgramData\Siemens\MotionControl\user\sinumerik\hmi\log\sltrc\)

WORKAROUNDDisable trace logging in the trace configuration to prevent passwords from being logged in future CMC package executions

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SINUMERIK 828D V4

HOTFIXUpdate SINUMERIK 828D V4 to version 4.95 SP3 or later

SINUMERIK 840D sl V4

HOTFIXUpdate SINUMERIK 840D sl V4 to version 4.95 SP3 or later

SINUMERIK ONE

HOTFIXUpdate SINUMERIK ONE to version 6.23 or later (or 6.15 SP4 if running 6.15 branch)

Long-term hardening

0/1

HARDENINGRestrict physical and network access to SINUMERIK NCU and IPC systems to authorized personnel only

CVEs (1)

CVE-2024-43781

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e822ede8-6845-4506-8cdc-87dfcec877a9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.