Insertion of Sensitive Information into Log File Vulnerability in SINUMERIK systems

Monitor5.5SSA-097786Sep 10, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SINUMERIK CNC controllers are vulnerable to password disclosure when provisioned using the Create MyConfig (CMC) tool. The CMC tool logs plaintext passwords to the uptrace.out file during package execution. A local user with limited privileges can read this file, extract credentials, and use them to gain higher-level access to the controller. This vulnerability affects SINUMERIK 828D V4, SINUMERIK 840D sl V4, and SINUMERIK ONE systems.

What this means

What could happen

A local user with limited system access could read plaintext passwords from a trace log file, then use those credentials to gain higher privileges and potentially alter CNC machine programs or process configurations.

Who's at risk

Manufacturing facilities operating Siemens SINUMERIK CNC controllers (828D, 840D sl, and SINUMERIK ONE models), particularly those that used the Create MyConfig configuration tool during setup. This affects machine tool operators and maintenance staff who may have configured the systems.

How it could be exploited

An attacker with local access to the SINUMERIK controller (physical access or via compromised workstation on the control network) reads the uptrace.out log file, extracts plaintext passwords used during configuration package execution, and uses those credentials to access the controller with elevated privileges. This requires the Create MyConfig (CMC) tool to have been used during provisioning.

Prerequisites

Local access to the SINUMERIK controller file system
Create MyConfig (CMC) tool was used during system provisioning
Limited user account (unprivileged local user)
Ability to read log files from the /uptrace.out location

Requires local access (not remotely exploitable)Requires low-privilege local credentialsPasswords stored in plaintext in logsAffects CNC machine control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SINUMERIK 828D V4All versions < V4.95 SP34.95 SP3

SINUMERIK 840D sl V4All versions < V4.95 SP3 in connection with using Create MyConfig (CMC) ≤ V4.8 SP1 HF64.95 SP3

SINUMERIK ONEAll versions < V6.23 in connection with using Create MyConfig (CMC) ≤ V6.66.23

SINUMERIK ONEAll versions < V6.15 SP4 in connection with using Create MyConfig (CMC) ≤ V6.66.15 SP4

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict local file system access to the SINUMERIK controller to authorized personnel only; use operating system access controls to limit who can read log files in the uptrace.out directory

WORKAROUNDReview and rotate any passwords that may have been captured in uptrace.out log files from systems that used Create MyConfig before patching

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SINUMERIK 828D V4

HOTFIXUpdate SINUMERIK 828D V4 to version 4.95 SP3 or later

SINUMERIK 840D sl V4

HOTFIXUpdate SINUMERIK 840D sl V4 to version 4.95 SP3 or later (also verify Create MyConfig (CMC) is updated to at least V4.8 SP1 HF6)

SINUMERIK ONE

HOTFIXUpdate SINUMERIK ONE to version 6.15 SP4 or later, or version 6.23 or later (also verify Create MyConfig (CMC) is updated to at least V6.6)

CVEs (1)

CVE-2024-43781

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/70e3925b-3645-41fe-ba84-d16afdadad0c