Heap-based Buffer Overflow Vulnerability in User Management Component (UMC)
Act Now9.8SSA-039007Sep 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens User Management Component (UMC) contains a heap-based buffer overflow vulnerability in multiple products that allows unauthenticated remote attackers to execute arbitrary code. Affected products include TIA Portal V16–V19, SIMATIC PCS neo V4.0–V5.0, Opcenter Quality and RDnL, SINEMA Remote Connect Client, and SINEC NMS. Siemens has released patches for most products but has no fix planned for TIA Portal V16, SIMATIC PCS neo V4.0, and SINEC NMS (all versions). The vulnerability requires only network access and no authentication to exploit.
What this means
What could happen
An attacker could run arbitrary code on engineering workstations and servers running Siemens automation software, potentially modifying PLC programs, altering process setpoints, or disrupting plant operations.
Who's at risk
Engineering teams and plant IT staff using Siemens automation software should prioritize this. Affected products include TIA Portal (engineering workstations), SIMATIC PCS neo (manufacturing control systems), Opcenter Quality and RDnL (production quality and logistics systems), SINEMA Remote Connect Client (remote engineering access), and SINEC NMS (network management). Any facility using these tools for PLC programming, system configuration, or remote engineering access is at risk.
How it could be exploited
An unauthenticated attacker with network access to a device running affected Siemens software (TIA Portal, SIMATIC PCS neo, Opcenter, SINEMA Remote Connect Client, or SINEC NMS) can send a specially crafted network request to the User Management Component to trigger a heap buffer overflow and execute arbitrary code.
Prerequisites
- Network access to the affected Siemens application port
- No authentication required
- Affected product version must be installed and running
Remotely exploitableNo authentication requiredLow complexity attackCritical severity (CVSS 9.8)Affects engineering workstations and control systemsMultiple affected products with no fix available (TIA Portal V16, SIMATIC PCS neo V4.0, SINEC NMS)
Exploitability
Moderate exploit probability (EPSS 3.3%)
Affected products (11)
8 with fix3 EOL
ProductAffected VersionsFix Status
Opcenter Quality< 24062406
Opcenter RDnL< 24102410
SIMATIC PCS neo V4.1All versions < V4.1 Update 24.1 Update 2
SIMATIC PCS neo V5.0All versions < V5.0 Update 15.0 Update 1
SINEMA Remote Connect ClientAll versions < V3.2 SP33.2 SP3
Totally Integrated Automation Portal (TIA Portal) V17All versions < V17 Update 817 Update 8
Totally Integrated Automation Portal (TIA Portal) V18All versions < V18 Update 518 Update 5
Totally Integrated Automation Portal (TIA Portal) V19All versions < V19 Update 319 Update 3
Remediation & Mitigation
0/9
Do now
0/2Totally Integrated Automation Portal (TIA Portal) V17
HARDENINGIsolate engineering workstations and servers running TIA Portal V16, SIMATIC PCS neo V4.0, and SINEC NMS on a dedicated network segment with restricted external access until patches are available
All products
HARDENINGRestrict network access to User Management Component ports on affected devices using firewall rules to limit connections to trusted engineering networks only
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
Totally Integrated Automation Portal (TIA Portal) V17
HOTFIXUpdate TIA Portal V17 to Update 8 or later
HOTFIXUpdate TIA Portal V18 to Update 5 or later
HOTFIXUpdate TIA Portal V19 to Update 3 or later
Opcenter Quality
HOTFIXUpdate Opcenter Quality to version 2406 or later
Opcenter RDnL
HOTFIXUpdate Opcenter RDnL to version 2410 or later
SINEMA Remote Connect Client
HOTFIXUpdate SINEMA Remote Connect Client to version 3.2 SP3 or later
All products
HOTFIXUpdate SIMATIC PCS neo to V4.1 Update 2 or later if on V4.1, or V5.0 Update 1 or later if on V5.0
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f8cd524f-6228-4497-8b46-56ce853470ed