As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Cerberus PRO UL and Desigo Fire Safety UL
- Vulnerabilities: Classic Buffer Overflow, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer
2. RISK EVALUATION
Successful exploitation of the vulnerabilities could allow an unauthenticated attacker, who gained access to the fire protection system network, to execute arbitrary code on the affected products (CVE-2024-22039) or create a denial-of-service condition (CVE-2024-22040, CVE-2024-22041).
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
- Siemens Cerberus PRO UL Compact Panel FC922/924: All versions prior to MP4
- Siemens Cerberus PRO UL Engineering Tool: All versions prior to MP4
- Siemens Cerberus PRO UL X300 Cloud Distribution: All versions prior to V4.3.0001
- Siemens Desigo Fire Safety UL Compact Panel FC2025/2050: All versions prior to MP4
- Siemens Desigo Fire Safety UL Engineering Tool: All versions prior to MP4
- Siemens Desigo Fire Safety UL X300 Cloud Distribution: All versions prior to V4.3.0001
3.2 Vulnerability Overview
3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BU
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: