Siemens Mendix Runtime

Monitor5.3ICS-CERT ICSA-24-319-12Nov 12, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The basic authentication mechanism in Mendix Runtime contains a race condition vulnerability that allows unauthenticated remote attackers to circumvent default account lockout measures. This affects multiple versions of Mendix Runtime (V8, V9, V10, V10.6, and V10.12). Siemens has released fixes for V9 and later versions, but V8 will not be patched.

What this means

What could happen

An attacker could bypass the account lockout protection and repeatedly attempt to guess passwords on Mendix Runtime applications, potentially gaining unauthorized access to systems that control business or operational processes.

Who's at risk

Organizations running Mendix Runtime applications should be concerned, particularly those in manufacturing, utilities, or other operational technology environments. Affected users include those running Mendix V8 (unfixable), V9 (vulnerable below 9.24.29), V10 (vulnerable below 10.16.0), V10.6 (vulnerable below 10.6.15), and V10.12 (vulnerable below 10.12.7) with basic authentication enabled.

How it could be exploited

An attacker on the network can trigger the race condition in the basic authentication mechanism by sending carefully timed authentication requests to the Mendix Runtime service. By exploiting the timing gap, the attacker can circumvent the lockout mechanism that normally blocks login attempts after several failures, allowing unlimited password guessing attempts.

Prerequisites

Network access to the Mendix Runtime service port (typically HTTP/HTTPS)
Mendix Runtime configured to use basic authentication
No additional authentication or rate-limiting controls in place

remotely exploitableno authentication requiredlow complexityaffects multiple versionsV8 has no patch available

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

Mendix Runtime V9< 9.24.299.24.29

Mendix Runtime V10< 10.16.010.16.0

Mendix Runtime V10.6< 10.6.1510.6.15

Mendix Runtime V10.12< 10.12.710.12.7

Mendix Runtime V8All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDReplace basic authentication with SAML, MendixSSO, or custom Identity Provider (IDP) integration

HARDENINGRestrict network access to Mendix Runtime service to authorized users only using firewall rules or network segmentation

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.29 or later

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.16.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.15 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.7 or later

Mitigations - no patch available

0/1

Mendix Runtime V8 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate Mendix Runtime systems from the Internet and untrusted networks

CVEs (1)

CVE-2024-50313

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac14b678-9b3d-4b16-b84e-c088e9322dd0