Multiple Vulnerabilities in SIMATIC RTLS Locating Manager before V3.0
Act Now10SSA-093430May 14, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple input validation and resource handling vulnerabilities exist in SIMATIC RTLS Locating Manager versions before 3.0.1.1. These include improper input validation (CWE-20), unhandled exceptions (CWE-754), resource exhaustion (CWE-400, CWE-770), improper memory operations (CWE-122), improper restrictions on rendered UI layers (CWE-73), insufficient encryption (CWE-311, CWE-319), insufficient session expiration (CWE-345), and use of hard-coded credentials or insecure cryptographic keys (CWE-321, CWE-522). The vulnerabilities can be exploited remotely without authentication to achieve code execution and system compromise.
What this means
What could happen
An unauthenticated attacker on the network could execute arbitrary code on the RTLS Locating Manager, potentially disrupting real-time location tracking for equipment and personnel across your facility.
Who's at risk
Facility and warehouse managers who rely on SIMATIC RTLS (Real-Time Locating System) for personnel tracking, asset location, and equipment movement visibility. Affects all listed RTLS Locating Manager hardware models (6GT2780-0DA00, 6GT2780-0DA10, 6GT2780-0DA20, 6GT2780-0DA30, 6GT2780-1EA10, 6GT2780-1EA20, 6GT2780-1EA30) running firmware versions prior to 3.0.1.1.
How it could be exploited
An attacker sends a specially crafted network request to the SIMATIC RTLS Locating Manager without authentication. The device fails to properly validate the input due to multiple input validation weaknesses (CWE-20, CWE-122), allowing the attacker to execute arbitrary commands on the server. Since the vulnerability is remotely accessible and requires no credentials, exploitation is straightforward once the device is reachable from an attacker's network position.
Prerequisites
- Network access to the SIMATIC RTLS Locating Manager service port
- No authentication credentials required
remotely exploitableno authentication requiredlow complexity attackhigh EPSS score (26.8%)affects availability and integrity of tracking systems
Exploitability
High exploit probability (EPSS 26.8%)
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
SIMATIC RTLS Locating Manager (6GT2780-0DA00)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-0DA10)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-0DA20)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-0DA30)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-1EA10)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-1EA20)<V3.0.1.13.0.1.1
SIMATIC RTLS Locating Manager (6GT2780-1EA30)<V3.0.1.13.0.1.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC RTLS Locating Manager to version 3.0.1.1 or later from Siemens Online Software Delivery (OSD)
CVEs (21)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c79fc4ea-ff56-4ade-bd10-2525ba9e6052