Navigation section

Siemens COMOS SSA-682326: Upgrade to V10.4.5 to Fix Babel and SQL Client Flaws

  • Thread Author
Siemens ProductCERT has published SSA‑682326, a consolidated security advisory documenting multiple high‑severity vulnerabilities in COMOS that affect releases prior to V10.4.5, and operators must treat this as an urgent software‑supply‑chain and operational‑security issue: the advisory highlights a critical Babel/JavaScript compilation flaw (CVE‑2023‑45133) and a SQL client security‑feature bypass (CVE‑2024‑0056), and Siemens’ mitigation is to update COMOS to V10.4.5 or later while applying standard OT hardening measures.

COMOS V10.4.5 security diagram on a blue wall, featuring alerts and CVE references.Background / Overview​

COMOS is a unified engineering and plant‑lifecycle platform used extensively in critical manufacturing and process industries. The recent Siemens ProductCERT advisory SSA‑682326 aggregates vulnerabilities discovered in third‑party components embedded in COMOS builds and assigns a consolidated high severity rating: Siemens documents a CVSS v3.1 base score as high as 9.3 for the most serious issue and recommends updating to V10.4.5 or later. Since January 10, 2023, U.S. federal guidance has directed that CISA will republish only the initial Siemens advisories and that ongoing, canonical status and remediation details live with Siemens’ ProductCERT. This operational change makes direct monitoring of ProductCERT essential for all organizations that run Siemens products. Why this matters: COMOS often runs in environments where engineering data, plant configurations, and asset metadata are shared across teams and networks. Vulnerabilities that permit arbitrary code execution, file exfiltration, or interception of credentials can therefore have outsized operational consequences beyond IT—impacting availability, safety, and regulatory compliance.

Executive summary of the technical facts​

  • The Siemens ProductCERT advisory SSA‑682326 lists two high‑impact vulnerabilities incorporated in COMOS before V10.4.5: CVE‑2023‑45133 (a Babel @babel/traverse compilation vulnerability) and CVE‑2024‑0056 (a Microsoft.Data.SqlClient / System.Data.SqlClient security feature bypass). Siemens’ immediate remediation: update COMOS to V10.4.5 or later.
  • CVE‑2023‑45133 can result in arbitrary code execution during compilation when Babel processes attacker‑crafted JavaScript together with certain plugins that call internal evaluation methods (path.evaluate / path.evaluateTruthy). This equals a dangerous build‑time code‑execution vector for CI/CD systems or developer machines that compile untrusted inputs.
  • CVE‑2024‑0056 is a security‑feature bypass in Microsoft.Data.SqlClient and System.Data.SqlClient that may enable an adversary‑in‑the‑middle (AiTM) to undermine encryption or leak authentication material in certain handshake/connection scenarios. Patch/upgrade guidance from Microsoft and downstream packaging projects is published.
  • CISA has republished multiple COMOS advisories over 2023–2025 and reiterates standard mitigations—minimize network exposure, isolate OT networks, use secure remote access, and follow Siemens’ operational industrial security guidance. Operators should assume vendor ProductCERT is the authoritative source for fix availability.

Deep technical breakdown​

CVE‑2023‑45133 — Babel compile‑time arbitrary code execution​

  • What it is: a flaw in @babel/traverse (and legacy babel‑traverse) that allows attacker‑crafted JavaScript to cause arbitrary code execution during compilation when certain plugins invoke Babel’s internal evaluation helpers. This is not a simple remote web‑exploit in production web servers; the risk surface is build and compilation systems that accept or process untrusted source code.
  • Affected code paths: Known risky plugins include @babel/plugin‑transform‑runtime, @babel/preset‑env when used with useBuiltIns, and polyfill provider plugins that depend on @babel/helper‑define‑polyfill‑provider. Third‑party plugins that call the same internals can also be impacted.
  • Severity and vector: Siemens’ advisory maps this into COMOS (component dependency) and reports the issue with a CVSS v3.1 base score of 9.3 and vector indicating a low complexity, local attack vector in the product context; the real‑world exploitation scenario typically requires the ability to get the build system to compile attacker‑controlled source.
  • Fix: Upgrading @babel/traverse to v7.23.2 or later (or v8.0.0‑alpha.4) removes the vulnerable behavior. If that’s not possible, upgrading the impacted plugins to versions that avoid the internal evaluate path is a required mitigation. OSS advisories and vendor patches (Node/npm) document exact package versions to apply.
Implication for COMOS: An industrial engineering app may include embedded toolchains, converters, or scripting components that call into JavaScript build tooling—so third‑party component risk propagates into OT stacks. Build‑system guards, artifact signing, and strict source provenance controls are essential.

CVE‑2024‑0056 — SQL client security‑feature bypass​

  • What it is: a vulnerability in the SQL client libraries (Microsoft.Data.SqlClient and System.Data.SqlClient) that can lead to a security feature bypass—in some scenarios allowing an AiTM to subvert expectations about encryption or to harvest credentials during handshake/connection establishment. The vulnerability has been tracked and patched across multiple package releases; Microsoft published advisories and cumulative updates.
  • Affected versions and remediation: Microsoft’s advisory and downstream package trackers list the fixed versions (for Microsoft.Data.SqlClient: 2.1.7, 3.1.5, 4.0.5, 5.1.3 and above in their respective major lines; for System.Data.SqlClient, upgrade to 4.8.6 where applicable). Operators should follow Microsoft Update guidance for .NET Framework and the NuGet package updates for .NET apps.
  • Severity and vector: Siemens reports a CVSS v3.1 for this dependency at 8.7 when contextualized in COMOS (confidentiality/integrity impact is high), and NVD/GitLab package advisories align on the seriousness. Attack feasibility depends on network topology and whether an attacker can position an AiTM or cause client‑side connection strings/handshakes to be manipulated.
Implication for COMOS: COMOS instances that make database connections using embedded or system libraries could expose credential or session material if an attacker can intercept or manipulate connections on the path—particularly significant in mixed IT/OT environments where maintenance tunnels, VPNs, or proxying are present.

Affected products and versions (vendor‑stated)​

Siemens ProductCERT explicitly lists COMOS versions affected by the advisory and maps the impacted CVEs to COMOS components. Across the various SSA notifications and CISA republications, COMOS versions prior to V10.4.5 (and in later advisories, versions prior to 10.5/10.6 for other component fixes) appear in the “affected” lists—Siemens’ guidance is to update to the released remedial build (V10.4.5+). Operational owners must treat their exact build numbers as authoritative: Siemens’ advisories include specific service‑pack and microbuild thresholds for safe versions, and applying a generic “update to latest” without verifying exact product SKUs can lead to missed cases.

Immediate mitigations and a prioritized response playbook​

The most important single action: apply Siemens’ update to COMOS V10.4.5 (or later) without undue delay for all affected installations where an update is supported. Where vendor updates cannot be immediately applied, implement compensating controls and follow the guidance below.
  • Inventory and exposure mapping (within 24–72 hours)
  • Identify every COMOS instance, including version, build number, installed components (Web, Snapshots, any embedded toolchains), and connectivity (which subnets and jump hosts can reach each instance).
  • Map all database connections COMOS uses: local DB files, remote SQL servers, connection strings, and which client libraries are present.
  • Patch and validate
  • Apply Siemens SSA‑682326 remediation—upgrade to V10.4.5 or later and verify build numbers.
  • For .NET apps and any integrated tooling, update Microsoft.Data.SqlClient and System.Data.SqlClient to the secure versions published by Microsoft (follow Microsoft Update guidance and NuGet package updates).
  • Ensure any embedded JavaScript tooling dependencies (@babel/traverse and affected plugins) in build hosts are upgraded to patched versions (@babel/traverse >= 7.23.2).
  • Isolate and harden network access
  • Limit management and engineering interfaces to a minimal set of trusted IP addresses; enforce firewall and ACL rules that deny all other inbound access.
  • Place COMOS servers and engineering workstations on segmented OT subnets and restrict lateral movement via microsegmentation or jump hosts.
  • Disable or tightly control any remote‑maintenance VPNs and jump servers; ensure multi‑factor authentication and hardened logging are in place.
  • Protect build systems and developer workstations
  • Treat build pipelines as a high‑risk attack surface: enforce signed artifacts, restrict who can submit code to build pipelines, and sandbox compilation of any third‑party or user‑supplied code.
  • Where possible, run builds in ephemeral, immutable runners and enable artifact integrity checks.
  • Remove unnecessary polyfills or plugin code paths that call the vulnerable Babel internals; upgrade plugin versions per OSS advisories.
  • Monitor, detect, and validate
  • Look for unusual file‑read patterns by COMOS processes (XXE‑style exfil attempts), unexplained process crashes, or abnormal compilation activity on developer‑facing hosts.
  • Monitor TLS/connection anomalies and use network IDS to detect potential AiTM patterns that target SQL traffic.
  • Apply supply‑chain and configuration controls
  • Restrict the import of external configuration or mapping files to trusted sources only; validate and sanitize XML inputs to avoid XXE and path‑traversal pitfalls.
  • Implement runtime controls to block or alert on processes that spawn interpreters or execute unexpected code during compilation or import operations.

Detection guidance and indicators of compromise​

  • Unexpected compilation activity on build servers where COMOS‑related tooling runs, or build logs that include evaluation of user‑provided JavaScript expressions are red flags for exploitation attempts tied to CVE‑2023‑45133.
  • Network traces showing interception, downgrade, or abnormal TLS negotiation with SQL servers—especially around prelogin and handshake messages—may indicate attempts to exploit the SQL client bypass (CVE‑2024‑0056). Look at endpoint telemetry and packet captures from maintenance windows for anomalies.
  • Unexplained file reads by COMOS processes, especially of configuration and mapping files or files outside expected directories, can indicate XXE or path‑traversal exploitation. Ensure file‑access logging and EDR rules are tuned to detect these behaviors.

Why this advisory matters beyond the immediate fixes — strategic analysis​

Strengths in Siemens’ response​

  • Consolidation and disclosure: Siemens ProductCERT has published a clear, consolidated advisory (SSA‑682326) that enumerates CVEs, affected components, and recommended version updates. That centralized approach helps operators plan upgrades and mitigations.
  • Practical remediation: where fixes exist Siemens provides explicit upgrade targets (e.g., V10.4.5+), which reduces ambiguity for teams managing patch windows.

Structural risks and weak points​

  • Vendor‑centric update model: since CISA’s policy change (January 10, 2023) to hand off continuous republishing to Siemens, organizations must rely on vendor ProductCERT monitoring rather than a neutral federal aggregator. This concentrates the onus on operators to maintain vendor watchlists and increases the risk of blindspots if an organization lacks an active vulnerability‑management program.
  • Third‑party component exposure: vulnerabilities like CVE‑2023‑45133 show the supply‑chain nature of modern software risk: a JavaScript compiler bug now surfaces as a high‑risk issue in an industrial application. This underscores the need for software‑bill‑of‑materials (SBOM), dependency scanning, and runtime containment.
  • OT patch latency: industrial environments are inherently conservative about updates due to availability and safety constraints. High‑severity fixes that require planned downtime or regression testing can linger, increasing attack surface during the patch‑window. Operators must therefore plan compensating controls as a near‑term priority.

Risk to Windows‑centric IT owners and integrators​

  • Mixed IT/OT networks: Windows administrators who support or bridge engineering teams must adapt standard Windows security discipline to OT contexts: strict segmentation, least‑privilege access, and hardened remote support practices are essential. CISA and Siemens both emphasize isolating control‑system networks and minimizing exposure.

Action checklist for IT/OT teams (concise, ordered)​

  • Confirm COMOS version and immediate exposure: list all instances and note whether they are reachable from business networks or the internet.
  • Apply Siemens’ update to COMOS V10.4.5 or later where available. Validate installation footprints and build numbers after patching.
  • Update Microsoft.Data.SqlClient and System.Data.SqlClient per Microsoft guidance (apply cumulative updates or NuGet package upgrades).
  • Update or constrain Babel tooling on build hosts: apply @babel/traverse >= 7.23.2 and upgrade affected plugins, or remove untrusted build inputs.
  • Harden network: restrict access, firewall management ports, and enforce jump hosts for remote maintenance.
  • Tighten file import policies: reject untrusted mapping/configuration files and validate XML inputs to avoid XXE and path traversal.
  • Add monitoring: log COMOS process file access, build activity, and unusual SQL handshake anomalies; run detection signatures and packet capture on suspect paths.

Caveats and unverifiable claims — what to watch for​

  • No public exploitation reported: Siemens’ advisories and CISA republications note that no known public exploitation targeting these specific COMOS CVEs had been reported at the time of their respective publications. That absence of public exploitation does not mean exploit code cannot be developed; treating the risk as actionable is appropriate.
  • Contextual vectors vary: some CVE vectors (for Babel) are contextual to build environments (often local) while others (SQL client bypass) depend heavily on network topologies. Do not conflate exploitability across contexts—perform an asset‑specific risk analysis.
  • Timeline differences: multiple Siemens advisories over 2023–2025 address distinct COMOS issues (XXE, out‑of‑bounds read/write, Open Design Alliance SDK issues, etc.. Confirm the CVE and advisory ID when planning mitigations, as fixes and recommended versions differ by CVE/SSA.

Final assessment and recommendations​

This advisory cycle is a clear reminder that industrial software now inherits the same complex ecosystem risks found in mainstream IT: third‑party libraries, build system vulnerabilities, and database client flaws can all create operational exposure. Siemens’ SSA‑682326 is a responsible disclosure that identifies the issues and supplies a concrete update path—upgrading COMOS to V10.4.5 or newer is the right first move. Beyond patching, organizations must treat the incident as a prompt to strengthen software‑supply‑chain hygiene: automated dependency scanning, SBOMs, pinned build environments, artifact signing, and strict controls on importing external files into OT applications. For the SQL client bypass, ensure DB connection stacks are updated per Microsoft guidance and that network paths for database traffic are protected from AiTM positions (strong mutual authentication, encrypted links, and robust network segmentation). Operationally, implement a short‑term compensating control set (isolation, access controls, monitoring) while scheduling vendor‑approved upgrades during a controlled maintenance window. Finally, update incident response playbooks to include detection signatures for the behaviors described and ensure ProductCERT advisories are part of the organization’s vulnerability‑management feeds—Siemens is the canonical source for ongoing remediation status on COMOS. The intersection of modern software dependencies and industrial control systems raises the stakes for every Windows‑centric IT team that supports engineering and OT: treat the COMOS SSA‑682326 advisory as both an immediate remediation task and a long‑term supply‑chain governance wake‑up call.
Source: CISA Siemens COMOS | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2024-8894: Siemens COMOS at Risk from ODA SDK Exploit
Replies
0
Views
121
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens CVE-2025-40800 MitM Risk in IAM Client and Patch Guidance
Replies
0
Views
62
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens COMOS Vulnerabilities: CISA No Longer Updates, What You Need to Know
Replies
0
Views
179
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens SSA-712929 and CVE-2022-0778: OpenSSL DoS in Industrial Devices
Replies
0
Views
105
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens RTLS Locating Manager: Patch to v3.3 to fix CVE-2025 flaws
Replies
0
Views
218
ChatGPT
ChatGPT
Back
Top