Siemens Industrial Products

Act NowCVSS 8.1ICS-CERT ICSA-24-256-15Sep 10, 2024

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

An OpenSSH race condition vulnerability (regreSSHion) in multiple Siemens industrial products allows an unauthenticated remote attacker to bypass authentication and execute commands with root privileges. Affected products include SINAMICS IIoT module, SINEMA Remote Connect Server, SINUMERIK ONE CNC control systems, and Industrial Edge Management OS. The vulnerability can be triggered on SINUMERIK interfaces if the SSH port is exposed. High CVSS score of 8.1 reflects the ability to achieve code execution with full system compromise. Industrial Edge Management OS has no patch planned by Siemens.

What this means

What could happen

An unauthenticated attacker on the network could exploit a race condition in OpenSSH to gain root access and run arbitrary commands on affected Siemens industrial devices, potentially altering process control, disabling safety systems, or stopping production.

Who's at risk

Manufacturing facilities running Siemens industrial automation equipment should prioritize this vulnerability. Affected devices include SINEMA Remote Connect Server (used for remote access to industrial sites), SINUMERIK ONE CNC/machine control systems, SINAMICS IIoT modules for motor and power control, and Industrial Edge Management OS-based edge computing devices. Any facility with SSH-enabled access to these devices is at risk.

How it could be exploited

The attacker sends crafted SSH packets to the default SSH port (22/tcp) on a vulnerable device. The race condition in OpenSSH allows bypassing authentication before the attacker provides credentials, granting root-level command execution directly on the industrial device.

Prerequisites

Network access to SSH port 22/tcp (or custom SSH port if changed)
SSH service must be enabled and reachable from the attacker's network location
Device must be running a vulnerable version of OpenSSH

remotely exploitableno authentication requiredhigh EPSS score (46.7%)affects native industrial control systemsno patch available for IEM-OS

Exploitability

Likely to be exploited — EPSS score 48.1%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

SINAMICS IIoT module<V1.0 HF11.0 HF1

SINEMA Remote Connect Server<V3.2 SP23.2 SP2

SINUMERIK ONE< V6.246.24

Industrial Edge Management OS (IEM-OS)All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDDisable SSH service on Industrial Edge Management OS devices if remote shell access is not required

WORKAROUNDRestrict SSH access (port 22/tcp or custom SSH port) to trusted engineering workstations and administrative networks only using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SINEMA Remote Connect Server

HOTFIXUpdate SINEMA Remote Connect Server to version 3.2 SP2 or later

SINUMERIK ONE

HOTFIXUpdate SINUMERIK ONE to version 6.24 or later

SINAMICS IIoT module

HOTFIXUpdate SINAMICS IIoT module to version 1.0 HF1 or later

Mitigations - no patch available

0/2

Industrial Edge Management OS (IEM-OS) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGChange SSH port from default 22/tcp to a nonstandard port to reduce automated attack exposure

HARDENINGIsolate industrial device networks behind firewalls and segregate them from business/IT networks

CVEs (1)

CVE-2024-6387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f546e382-3290-4406-9d6c-cb6ec8932b52

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.