XXE Injection Vulnerabilities in COMOS

Monitor5.5SSA-701627Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

COMOS is affected by XXE (XML External Entity) injection vulnerabilities that could allow an attacker to extract arbitrary application files. The vulnerabilities exist in multiple product versions; fixes are available for some versions while others have no fix planned.

What this means

What could happen

An attacker who can access COMOS could extract sensitive configuration and process files from the engineering workstation or server, potentially exposing credentials or process logic used in your control systems.

Who's at risk

Engineering and operations personnel who use Siemens COMOS for process design, engineering, and configuration. This affects industrial control system design workstations and engineering servers in manufacturing, utilities, and process industries.

How it could be exploited

An attacker would need to craft a malicious XML file and trick a user into opening it within COMOS, or intercept and modify XML input to the application. The XXE injection then parses external XML entities, allowing the attacker to read local files from the affected machine.

Prerequisites

Local or network access to a machine running COMOS
User interaction required (user must open or process a malicious XML file)
No authentication required if attacker can write to file locations COMOS accesses

User interaction required for exploitationAffects engineering workstations (higher value targets)Files extracted could include credentials or process configurationMultiple versions have no fix available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

4 with fix3 EOL

ProductAffected VersionsFix Status

COMOS V10.3< V10.3.3.5.810.3.3.5.8

COMOS V10.4.3< V10.4.3.0.4710.4.3.0.47

COMOS V10.4.4< V10.4.4.210.4.4.2

COMOS V10.4.4.1< V10.4.4.1.2110.4.4.1.21

COMOS V10.4.0All versionsNo fix (EOL)

COMOS V10.4.1All versionsNo fix (EOL)

COMOS V10.4.2All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

COMOS V10.4.0

WORKAROUNDFor COMOS V10.4.0, V10.4.1, and V10.4.2 with no patches available, restrict access to COMOS workstations and servers to trusted networks only; monitor for suspicious XML file processing

All products

HARDENINGTrain users on the risks of opening XML files from untrusted sources in COMOS

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

COMOS V10.3

HOTFIXUpdate COMOS V10.3 to version 10.3.3.5.8 or later

COMOS V10.4.3

HOTFIXUpdate COMOS V10.4.3 to version 10.4.3.0.47 or later

COMOS V10.4.4

HOTFIXUpdate COMOS V10.4.4 to version 10.4.4.2 (or 10.4.4.1.21 if on 10.4.4.1)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: COMOS V10.4.0, COMOS V10.4.1, COMOS V10.4.2. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate COMOS engineering workstations from general corporate networks

CVEs (2)

CVE-2024-49704 CVE-2024-54005

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/832de1ab-9d8c-4ed8-9221-390589a199a0