Siemens COMOS

Monitor5.5ICS-CERT ICSA-24-347-08Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

COMOS versions V10.3 through V10.4.4.1 are affected by XXE (XML External Entity) injection vulnerabilities in configuration and mapping file parsing. These vulnerabilities allow an attacker to extract arbitrary files from the local system when a user opens a specially crafted XML configuration or mapping file. The vulnerability is not remotely exploitable; it requires local access to the engineering workstation or the ability to deliver a malicious file to it. Siemens has released patches for V10.3, V10.4.3, V10.4.4, and V10.4.4.1, but no fix is planned for V10.4.0, V10.4.1, and V10.4.2.

What this means

What could happen

An attacker with local access to a Siemens COMOS workstation could exploit XXE injection vulnerabilities in configuration and mapping files to extract arbitrary files from the system, potentially exposing sensitive plant documentation, configurations, or credentials stored on the engineering workstation.

Who's at risk

Siemens COMOS users, particularly engineering and process control personnel, should assess their deployed COMOS versions. Organizations using COMOS for chemical processes, manufacturing, utilities, or other critical infrastructure applications are affected if they have V10.3, V10.4.0, V10.4.1, V10.4.2, V10.4.3, V10.4.4, or V10.4.4.1 installations. V10.4.0–V10.4.2 have no fix planned and require workarounds.

How it could be exploited

An attacker must trick a COMOS user into opening a malicious XML configuration or mapping file in the application. When the file is processed, the XXE vulnerability allows the attacker to read arbitrary files from the local workstation filesystem. This requires user interaction (opening the file) and local or network access to deliver the malicious file.

Prerequisites

Local access to the Siemens COMOS workstation or ability to deliver a malicious file to it
User interaction required: an authorized user must open the malicious XML file within COMOS
Attacker can craft malicious configuration or mapping files containing XXE payloads

No authentication required (local user can open file)User interaction required (reduces but does not eliminate risk)No patch available for V10.4.0, V10.4.1, V10.4.2Information disclosure (arbitrary file read from workstation)Low attack complexity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

4 with fix3 EOL

ProductAffected VersionsFix Status

COMOS V10.4.1All versionsNo fix (EOL)

COMOS V10.3<V10.3.3.5.810.3.3.5.8

COMOS V10.4.3<V10.4.3.0.4710.4.3.0.47

COMOS V10.4.4<V10.4.4.210.4.4.2

COMOS V10.4.4.1<V10.4.4.1.2110.4.4.1.21

COMOS V10.4.0All versionsNo fix (EOL)

COMOS V10.4.2All versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDFor V10.4.0, V10.4.1, and V10.4.2 (no fix available): Restrict write access to configuration and mapping files to authorized administrators only; do not rely on read-only file properties

WORKAROUNDDo not use untrusted configuration and mapping files; implement file access controls to ensure only authorized users can modify these files

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

COMOS V10.3

HOTFIXUpdate COMOS V10.3 to version 10.3.3.5.8 or later (request patch from Siemens customer support)

COMOS V10.4.3

HOTFIXUpdate COMOS V10.4.3 to version 10.4.3.0.47 or later (request patch from Siemens customer support)

COMOS V10.4.4

HOTFIXUpdate COMOS V10.4.4 to version 10.4.4.2 or later

HOTFIXUpdate COMOS V10.4.4.1 to version 10.4.4.1.21 or later

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: COMOS V10.4.1, COMOS V10.4.0, COMOS V10.4.2. Apply the following compensating controls:

HARDENINGRestrict administrative access to COMOS workstations; limit who can modify configuration files, especially network configuration

HARDENINGPlace COMOS workstations behind firewalls and isolate the engineering network from the business network

HARDENINGImplement network segmentation so COMOS systems are not accessible from the internet or untrusted networks

CVEs (2)

CVE-2024-54005 CVE-2024-49704

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a98340e1-8cb7-44ae-8061-87d4c0aa49f9