Multiple Vulnerabilities in COMOS

Act Now9.8SSA-137900Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

COMOS is affected by multiple vulnerabilities including XML External Entity injection (CWE-611), path traversal (CWE-22), buffer overflows (CWE-787, CWE-125), integer overflow (CWE-190), use-after-free (CWE-416), stack buffer overflow (CWE-122), cleartext transmission (CWE-319), and access control violations (CWE-284). These flaws could allow an attacker to execute arbitrary code, cause denial of service, exfiltrate data, or bypass access controls.

What this means

What could happen

An attacker with network access to COMOS could execute arbitrary code on the engineering workstation, allowing them to modify process data, configurations, or operator interface logic. Alternatively, they could trigger a denial of service, crash the application, or extract sensitive process and credential data.

Who's at risk

Process engineers and plant operators who rely on COMOS for process design, simulation, and monitoring. This includes utilities and manufacturers in chemical, petroleum, water treatment, and manufacturing sectors who use COMOS for plant configuration and operational oversight.

How it could be exploited

An attacker sends a malicious network request to the COMOS service port. The request exploits one of multiple input validation or memory handling flaws (XML External Entity injection, path traversal, buffer overflow, or access control bypass). COMOS processes the request without proper sanitization, allowing the attacker to execute code or access restricted data on the engineering workstation.

Prerequisites

Network access to COMOS service port (typically internal engineering network)
COMOS installation with vulnerable version running and listening for connections

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects engineering workstations that control plant operations

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

COMOS<V10.4.410.4.4

COMOSAll versions10.4.4

Remediation & Mitigation

0/4

Do now

0/1

COMOS

WORKAROUNDFor older COMOS versions where update is not yet available, immediately delete ptmcast.exe from the COMOS bin folder to disable the vulnerable component

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMOS

HOTFIXUpdate COMOS to version 10.4.4 or later

HOTFIXIf update to 10.4.4 is completed, update the COMOS database to version 25 per user manual (note: this change is irreversible; older COMOS versions will not be compatible with the updated database)

Long-term hardening

0/1

COMOS

HARDENINGRestrict network access to COMOS ports to only authorized engineering workstations and configuration servers

CVEs (16)

CVE-2020-25020 CVE-2020-35460 CVE-2022-23095 CVE-2022-28807 CVE-2022-28808 CVE-2022-28809 CVE-2023-0933 CVE-2023-1530 CVE-2023-2931 CVE-2023-2932 CVE-2023-22669 CVE-2023-22670 CVE-2023-43503 CVE-2023-43504 CVE-2023-43505 CVE-2023-46601

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3ae33a0e-7699-45e8-a502-735fd0d244f1