Siemens Industrial Products

Act Now8.1ICS-CERT ICSA-24-256-15Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

An OpenSSH vulnerability (regreSSHion) affects multiple Siemens industrial products through a race condition that allows unauthenticated remote code execution with root privileges. The vulnerability exists in Industrial Edge Management OS (all versions), SINAMICS IIoT module (versions before 1.0 HF1), SINEMA Remote Connect Server (versions before 3.2 SP2), and SINUMERIK ONE (versions before 6.24). The vulnerability can be triggered on any SINUMERIK interface (X120, X127, X130) if the SSH port is open. Siemens has released fixes for some products but notes that Industrial Edge Management OS has no fix planned. Siemens recommends disabling SSH when possible, restricting SSH access to trusted systems only, and changing the default SSH port from 22/tcp to a nonstandard port.

What this means

What could happen

An unauthenticated attacker on the network could run commands as root on affected devices through an SSH race condition vulnerability, potentially stopping operations, altering process parameters, or disrupting remote access functionality on manufacturing equipment.

Who's at risk

Manufacturing facilities using Siemens industrial products should prioritize this vulnerability. Specifically affected are operators using Industrial Edge Management OS (any version, no patch available), SINUMERIK ONE (older versions), SINEMA Remote Connect Server (older versions used for remote diagnostics and management), and SINAMICS IIoT modules. Any facility where these devices have SSH exposure to untrusted networks is at risk.

How it could be exploited

An attacker sends specially crafted packets to the SSH port (default 22/tcp) on an affected device to trigger a race condition in OpenSSH. This race condition allows code execution without valid credentials. The attacker gains root access and can execute arbitrary commands on the industrial device.

Prerequisites

Network access to SSH port on the affected device (default 22/tcp)
SSH service must be enabled on the device
High attack complexity—attacker must exploit a specific race condition timing window

Remotely exploitableNo authentication requiredHigh CVSS score (8.1)High exploit probability (EPSS 57.6%)Affects multiple industrial product linesNo patch available for Industrial Edge Management OS

Exploitability

High exploit probability (EPSS 57.6%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

SINAMICS IIoT module<V1.0 HF11.0 HF1

SINEMA Remote Connect Server<V3.2 SP23.2 SP2

SINUMERIK ONE< V6.246.24

Industrial Edge Management OS (IEM-OS)All versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDDisable SSH service when not required for operations

WORKAROUNDRestrict SSH access (port 22/tcp) to only trusted engineering workstations and administration systems using firewall rules

WORKAROUNDChange SSH listening port from default 22/tcp to a nonstandard port to reduce automated attack attempts

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SINEMA Remote Connect Server

HOTFIXUpdate SINEMA Remote Connect Server to version 3.2 SP2 or later

SINUMERIK ONE

HOTFIXUpdate SINUMERIK ONE to version 6.24 or later

SINAMICS IIoT module

HOTFIXUpdate SINAMICS IIoT module to version 1.0 HF1 or later

Mitigations - no patch available

0/2

Industrial Edge Management OS (IEM-OS) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment industrial networks from business networks and restrict internet-facing exposure of all control system devices

HARDENINGImplement defense-in-depth strategies including network isolation, firewalls, and VPN access for remote administration

CVEs (1)

CVE-2024-6387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f546e382-3290-4406-9d6c-cb6ec8932b52