Siemens Mendix Runtime

MonitorCVSS 5.3ICS-CERT ICSA-24-319-12Nov 12, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Mendix Runtime contains a race condition in its basic authentication mechanism that allows unauthenticated remote attackers to bypass account lockout protections. An attacker can exploit this to perform credential brute-force attacks without triggering the lockout mechanism, potentially gaining unauthorized access. Siemens has released patches for Runtime V9, V10, V10.6, and V10.12. Runtime V8 will not be patched. As a workaround, organizations should disable basic authentication and use alternative authentication methods such as SAML or MendixSSO.

What this means

What could happen

An attacker could bypass account lockout protections on Mendix Runtime applications using basic authentication, potentially gaining unauthorized access to the application or its data by brute-forcing credentials without triggering account lockout.

Who's at risk

Organizations running Siemens Mendix Runtime applications, particularly those used for industrial monitoring, process data collection, or operational dashboards that rely on basic authentication for user access control. Affects Mendix Runtime V8 (all versions, no fix available), V9 (versions before 9.24.29), V10 (versions before 10.16.0), V10.6 (versions before 10.6.15), and V10.12 (versions before 10.12.7).

How it could be exploited

An attacker on the network sends multiple rapid authentication requests to exploit the race condition in the lockout mechanism, allowing credential guessing attempts to succeed even after the lockout threshold is reached. This requires the Mendix Runtime to be reachable from the attacker's network and basic authentication to be enabled.

Prerequisites

Network access to the Mendix Runtime application port
Basic authentication must be enabled on the Mendix Runtime instance
Ability to send multiple rapid HTTP requests to the authentication endpoint

race condition in authenticationremotely exploitableno authentication required for attackaffects account lockout protectiondefault basic authentication

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

Mendix Runtime V9< 9.24.299.24.29

Mendix Runtime V10< 10.16.010.16.0

Mendix Runtime V10.6< 10.6.1510.6.15

Mendix Runtime V10.12< 10.12.710.12.7

Mendix Runtime V8All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable basic authentication and configure SAML, MendixSSO, or a custom Identity Provider instead

HARDENINGRestrict network access to the Mendix Runtime application port to trusted networks only using firewall rules

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.29 or later

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.16.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.15 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.7 or later

CVEs (1)

CVE-2024-50313

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac14b678-9b3d-4b16-b84e-c088e9322dd0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.