Siemens Mendix Runtime

MonitorCVSS 5.3ICS-CERT ICSA-24-256-05Sep 10, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Runtime contains an observable response discrepancy vulnerability during username validation in the authentication process. An unauthenticated remote attacker can send authentication requests and measure response times or other observable differences to distinguish between valid and invalid usernames. This leaks information about which usernames exist in the system, enabling account enumeration attacks.

What this means

What could happen

An attacker can remotely determine which usernames exist on your Mendix application without needing valid credentials. This information could be used to support targeted attacks against your application or infrastructure.

Who's at risk

Organizations operating Mendix Runtime applications for business process automation, custom applications, or integration platforms should assess their Mendix versions and deployment scope. This includes utilities and industrial organizations that use Mendix for administrative or operational applications that interact with or support control systems.

How it could be exploited

An attacker sends authentication requests to the Mendix Runtime over the network and observes the response behavior to infer whether a username exists. Valid usernames produce different responses (timing, error messages, or HTTP status codes) compared to invalid ones, allowing the attacker to enumerate valid accounts.

Prerequisites

Network access to the Mendix Runtime authentication endpoint
No credentials required

remotely exploitableno authentication requiredlow complexityinformation disclosure allows account enumeration

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Mendix Runtime V8< 8.18.338.18.33

Mendix Runtime V9< 9.24.319.24.31

Mendix Runtime V10< 10.17.010.17.0

Mendix Runtime V10.6< 10.6.1910.6.19

Mendix Runtime V10.12< 10.12.1110.12.11

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDDisable basic authentication and implement an alternative authentication method such as SAML, MendixSSO, or integration with an external identity provider (LDAP, Active Directory, etc.)

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Mendix Runtime V8

HOTFIXUpdate Mendix Runtime V8 instances to a patched version when available from Siemens; currently no fix exists—prioritize migration to V9 or later if operationally feasible

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.26 or later

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.14.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.12 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.2 or later

Long-term hardening

0/1

HARDENINGRestrict network access to the Mendix Runtime authentication endpoints using firewall rules; ensure they are not accessible from untrusted networks or the internet

CVEs (1)

CVE-2023-49069

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/06b0c367-8561-429c-a905-bfca1bbb230e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.