Siemens Mendix Runtime

Monitor5.3ICS-CERT ICSA-24-256-05Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Runtime contains a vulnerability in the authentication response that allows unauthenticated attackers to enumerate valid usernames by observing differences in authentication error responses. The vulnerability affects Mendix Runtime V8, V9, V10, V10.6, and V10.12. An attacker with only network access to the application can determine which user accounts exist, which could facilitate targeted attacks such as credential brute-forcing or social engineering. The vulnerability exists when basic authentication is used; applications implementing SAML, MendixSSO, or custom identity providers are not affected. Siemens has released patched versions for all affected product lines.

What this means

What could happen

An attacker can determine which usernames exist in your Mendix-based application without valid credentials by observing authentication response differences, potentially enabling targeted account attacks or social engineering.

Who's at risk

Organizations using Siemens Mendix Runtime for web-based operational technology applications or industrial control system interfaces. This includes manufacturing facilities, utilities, and industrial automation platforms that rely on Mendix for process monitoring dashboards, operator portals, or supervisory interfaces where authentication controls access to sensitive operations.

How it could be exploited

An attacker sends authentication requests to your Mendix Runtime application from the internet and measures response times or error messages to distinguish valid usernames from invalid ones. This information disclosure requires only network access to the application endpoint; no credentials or system access are needed.

Prerequisites

Network access to Mendix Runtime application endpoint (typically HTTP/HTTPS port)
Application using basic authentication (username/password method)
No rate limiting or IP-based access controls on authentication endpoint

Remotely exploitableNo authentication required for exploitationLow complexityInformation disclosure enables follow-on attacksAffects all Mendix Runtime versions in use

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Mendix Runtime V8< 8.18.338.18.33

Mendix Runtime V9< 9.24.319.24.31

Mendix Runtime V10< 10.17.010.17.0

Mendix Runtime V10.6< 10.6.1910.6.19

Mendix Runtime V10.12< 10.12.1110.12.11

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDDisable basic authentication and implement alternative authentication module such as SAML, MendixSSO, or custom Identity Provider (IDP)

HARDENINGRestrict network access to Mendix Runtime applications using firewall rules; do not expose authentication endpoints to the internet

HARDENINGImplement rate limiting on authentication endpoints to prevent username enumeration attacks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Mendix Runtime V8

HOTFIXUpdate Mendix Runtime V8 to version 8.18.33 or later

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.31 or later

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.17.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.19 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.11 or later

CVEs (1)

CVE-2023-49069

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/06b0c367-8561-429c-a905-bfca1bbb230e