Siemens COMOS Vulnerabilities: CISA No Longer Updates, What You Need to Know

  • Thread Author
In a significant move recognized by the cybersecurity community, as of January 10, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) announced it would cease further updates on ICS security advisories concerning vulnerabilities found in Siemens products. This change sets the stage for potential cybersecurity challenges, especially for users of the Siemens COMOS system. Let’s dive into the details, understand the implications, and find out what you can do to safeguard your systems.

Executive Summary: Key Details at a Glance​

  • CVSS v4 Score: 5.9
  • Vendor: Siemens
  • Equipment: COMOS
  • Vulnerabilities: Improper restriction of XML External Entity Reference
  • Attack Complexity: Low
Siemens' COMOS software, widely utilized for facilitating engineering processes in critical manufacturing sectors, has recently been exposed to vulnerabilities that may permit unauthorized access and the extraction of sensitive application files.

Understanding the Risks​

The identified vulnerabilities allow for a security breach, enabling an attacker to extract arbitrary application files from affected systems. As Siemens shifts focus away from updating these advisories, the responsibility lies with users and administrators to monitor and mitigate risks proactively.

Affected Products​

The vulnerabilities are present across various versions of COMOS, including:
  • COMOS V10.4.0 (All versions)
  • COMOS V10.4.1 (All versions)
  • COMOS V10.4.2 (All versions)
  • COMOS V10.4.3 (Versions prior to V10.4.3.0.47)
  • COMOS V10.4.4 (Versions prior to V10.4.4.2)
  • COMOS V10.4.4.1 (Versions prior to V10.4.4.1.21)
  • COMOS V10.3 (Versions prior to V10.3.3.5.8)

Vulnerability Overview: The Technical Stuff​

The vulnerabilities stem from improper handling of XML External Entity (XXE) references, primarily when parsing configuration and mapping files. Here’s how they work:
  • Attack Vector: An attacker crafts a malicious configuration file used by a victim interacting with affected components such as the Generic Data Mapper or Engineering Interface.
  • Exploitation: When the victim opens the malicious file, the attacker gains access to arbitrary files from the user's system or accessible network folders.
The vulnerabilities have specific references:
  • CVE-2024-49704: Assigned CVSS v4 base score of 5.7.
  • CVE-2024-54005: Assigned CVSS v4 base score of 5.9.

Mitigation Strategies: Stay Ahead of Threats​

While Siemens has announced that no fixes are planned for several affected versions, there are specific pathways to mitigate risks:
  • Updates: For COMOS V10.3, upgrade to version V10.3.3.5.8 or later.
  • Secure Configuration: Avoid untrusted configuration files, and ensure only authorized personnel can modify critical files.
  • Network Security:
  • Isolate control system networks from business networks using robust firewalls.
  • Implement VPNs for remote access, but ensure they are updated and properly configured.

CISA Recommendations​

CISA advises users to minimize network exposure and secure control systems effectively. This involves not directly exposing them to the internet and ensuring robust defenses are in place, particularly for remote access scenarios.

Proactive Measures against Social Engineering​

In addition to technical safeguards, users are urged to take practical steps to avoid falling victim to social engineering attacks, such as steering clear of unsolicited emails and being cautious about click-through items.

A Broader Context: The Importance of Cyber Vigilance​

As cyber threats loom, the halt in CISA's updates serves as a stark reminder of the importance of remaining vigilant in cybersecurity practices—especially for critical infrastructure sectors like manufacturing, where vulnerabilities can lead to serious operational disruptions.

Conclusion: Stay Informed and Secure​

While the responsibility of maintaining cybersecurity shifts increasingly to the users amid the halting of CISA’s updates, it’s imperative to stay informed, understand your systems, apply the necessary patches, and follow security best practices rigorously. The Siemens COMOS vulnerabilities highlight an ongoing challenge in the industrial control systems landscape—one that requires diligence and proactive management from all those involved.
Stay safe out there!

Source: CISA Siemens COMOS