Multiple Vulnerabilities in COMOS Web

Plan Patch8.8SSA-995338Jan 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in COMOS Web components that allow code injection (CWE-434, CWE-80, CWE-23), SQL injection (CWE-89), and cross-site request forgery attacks (CWE-352). These vulnerabilities enable an authenticated attacker to execute arbitrary code, modify database contents, store malicious files in unintended locations, and execute unwanted actions on behalf of other users.

What this means

What could happen

An attacker with valid engineering credentials could inject malicious code into COMOS Web, modify the database through SQL injection, or trick authenticated users into performing unwanted actions. This could allow tampering with process configurations, equipment parameters, or control logic.

Who's at risk

Organizations running COMOS V10.2, V10.3, or V10.4 with web components enabled should assess their use of the web interface. This primarily affects engineering teams and control center operators who use the web-based configuration and monitoring portal for process management and equipment control in water treatment, power distribution, and manufacturing plants.

How it could be exploited

An attacker with valid COMOS user credentials accesses the web interface and injects malicious code through input fields or manipulates requests to execute arbitrary SQL statements or change configuration files to unauthorized locations. A second attack vector uses CSRF to trick an authenticated engineer into executing commands without their knowledge.

Prerequisites

Valid COMOS user credentials (engineering workstation login)
Network access to COMOS Web interface port (typically HTTP/HTTPS)
Web components must be enabled in the COMOS installation

Requires valid credentialsLow complexity attackMultiple vulnerability types (code injection, SQL injection, CSRF)Can affect process control configurations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

COMOS V10.2All versions only if web components are usedNo fix (EOL)

COMOS V10.3≥ V10.3.3.3 only if web components are used10.3.3.3

COMOS V10.3< V10.3.3.3 only if web components are used10.3.3.3

COMOS V10.4< V10.4.1 only if web components are used10.4.1

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImplement network-level access controls to restrict access to COMOS Web interface to authorized engineering workstations only

WORKAROUNDDisable or isolate COMOS Web components if they are not actively used in your deployment

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

COMOS V10.3

HOTFIXUpdate COMOS V10.3 installations to version 10.3.3.3 or later

COMOS V10.4

HOTFIXUpdate COMOS V10.4 installations to version 10.4.1 or later

Mitigations - no patch available

0/1

COMOS V10.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnforce strong password policies and multi-factor authentication for COMOS user accounts

CVEs (5)

CVE-2021-37194 CVE-2021-37195 CVE-2021-37196 CVE-2021-37197 CVE-2021-37198

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/603a026d-1188-467c-8817-2085e9a7dd54