Siemens COMOS
MonitorCVSS 5.5ICS-CERT ICSA-24-347-08Dec 10, 2024
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
COMOS contains XML External Entity (XXE) injection vulnerabilities in configuration and mapping file handling (CVE-2024-49704 and CVE-2024-54005) that could allow an attacker with local access or write permissions to extract arbitrary application files from the system. The vulnerabilities require the attacker to place a malicious configuration or mapping file, which is then processed by the application. Setting file permissions to read-only is not sufficient mitigation.
What this means
What could happen
An attacker with write access to COMOS configuration files could extract sensitive information like credentials or system configuration data by injecting malicious XML, potentially compromising the engineering environment or downstream control systems. This is a local/file-based attack and does not directly impact field operations.
Who's at risk
Engineering teams and system administrators running COMOS (Siemens process control configuration and digital twin software) in any version 10.3–10.4.4.1 should prioritize patching or implementing access controls. This affects water and wastewater treatment plants, power generation facilities, oil and gas processing, and manufacturing plants that use COMOS for design, simulation, and operational documentation.
How it could be exploited
An attacker with write access to COMOS configuration or network configuration files injects a malicious XML entity that causes the application to read and exfiltrate arbitrary files from the server when the configuration is loaded. This requires either local system access or the ability to modify shared configuration repositories.
Prerequisites
- Write access to COMOS configuration files or network configuration files (local or network share)
- User or administrator account that loads the malicious configuration file
- Knowledge of file system layout to target sensitive files
local exploitation requiredrequires write access to filesaffects multiple COMOS versionssome versions have no fix planned
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (7)
4 with fix3 EOL
ProductAffected VersionsFix Status
COMOS V10.4.1All versionsNo fix (EOL)
COMOS V10.3<V10.3.3.5.810.3.3.5.8
COMOS V10.4.3<V10.4.3.0.4710.4.3.0.47
COMOS V10.4.4<V10.4.4.210.4.4.2
COMOS V10.4.4.1<V10.4.4.1.2110.4.4.1.21
COMOS V10.4.0All versionsNo fix (EOL)
COMOS V10.4.2All versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2COMOS V10.4.0
HARDENINGFor COMOS V10.4.0, V10.4.1, and V10.4.2 (no fix planned): Implement file-level access controls using operating system permissions to ensure only authorized administrators can write to COMOS configuration and network configuration files; do not rely on read-only file properties
All products
HARDENINGRestrict write access to configuration and mapping files to authorized engineering and administrator accounts only; audit who has write permissions regularly
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
COMOS V10.3
HOTFIXUpdate COMOS V10.3 to version 10.3.3.5.8 or later (request patch from Siemens customer support)
COMOS V10.4.3
HOTFIXUpdate COMOS V10.4.3 to version 10.4.3.0.47 or later (request patch from Siemens customer support)
COMOS V10.4.4
HOTFIXUpdate COMOS V10.4.4 to version 10.4.4.2 or later
HOTFIXUpdate COMOS V10.4.4.1 to version 10.4.4.1.21 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: COMOS V10.4.1, COMOS V10.4.0, COMOS V10.4.2. Apply the following compensating controls:
HARDENINGIsolate COMOS systems from the business network and ensure they are not accessible from the internet; require VPN or direct console access for remote engineering work
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a98340e1-8cb7-44ae-8061-87d4c0aa49f9Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.