Full Report
SINUMERIK systems, that have been provisioned with Create MyConfig (CMC), are affected by a Insertion of Sensitive Information into Log File vulnerability. When using a CMC package on a NCU or on an IPC the password used in the CMC package or typed in manually during package execution is traced on the machine to the file uptrace.out. This could allow a local authenticated user with low privileges to read that password and use it to impersonate a user with higher privileges. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Insertion of Sensitive Information into Log File in SINUMERIK Systems using Create MyConfig (CMC)
## CVE Details
- CVE ID: CVE-2024-43781
- CVSS Score: 5.5 (CVSS v3.1) / 6.8 (CVSS v4.0) (Medium)
- CWE: CWE-532: Insertion of Sensitive Information into Log File
## Affected Systems
- Products: SINUMERIK 828D, SINUMERIK 840D sl, SINUMERIK ONE
- Versions:
- SINUMERIK 828D V4: All versions < V4.95 SP3
- SINUMERIK 840D sl V4: All versions < V4.95 SP3 (when using Create MyConfig (CMC) <= V4.8 SP1 HF6)
- SINUMERIK ONE: All versions < V6.23 (when using CMC <= V6.6)
- SINUMERIK ONE: All versions < V6.15 SP4 (when using CMC <= V6.6)
- Configurations: Systems provisioned with Create MyConfig (CMC) packages.
## Vulnerability Description
The vulnerability exists because sensitive information, specifically passwords used within a Create MyConfig (CMC) package (either embedded or manually entered during execution), is logged to the file `uptrace.out` on the affected NCU or IPC. A local authenticated user with low privileges can read this trace file, allowing them to obtain the stored password and potentially use it to impersonate a user with higher privileges.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC status is implied by the nature of the flaw (low privilege user reading a local file).
- Complexity: Low (Local access required, but exploiting the log file leak is simple).
- Attack Vector: Local
## Impact
- Confidentiality: High (Passwords necessary for privilege escalation are exposed)
- Integrity: None stated (The primary focus is information disclosure leading to potential unauthorized action)
- Availability: None stated
## Remediation
### Patches
Customers must update to the latest recommended versions:
- **SINUMERIK 828D V4 / 840D sl V4:** Update to **V4.95 SP3 or later**.
- **SINUMERIK ONE:** Update to **V6.23 or later** (for configurations matching the V6.23 criteria) or **V6.15 SP4 or later** (for configurations matching the V6.15 SP4 criteria).
Software updates must be obtained from Siemens customer support or a local partner.
### Workarounds
The following manual workarounds mitigate the immediate risk:
1. **Delete Log Files:** After using CMC:
* On an NCU: Delete `/card/user/sinumerik/hmi/log/sltrc/uptrace.out` and its backup `uptrace.out.bak`.
* On an IPC: Delete `c:\ProgramData\Siemens\MotionControl\user\sinumerik\hmi\log\sltrc\uptrace.out` and its backup `uptrace.out.bak`.
2. **Disable Tracing:** Replace the trace configuration to switch off tracing for the future to prevent repeated logging of sensitive data.
## Detection
- **Indicators of Compromise:** Presence of passwords within the specified log files (`uptrace.out` or `uptrace.out.bak`).
- **Detection Methods and Tools:** Manual inspection of the file paths listed in the Workarounds section on potentially affected systems.
## References
- Siemens Advisory: SSA-097786
- Siemens Security Portal: hXXps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens Security Portal: hXXps://www.siemens.com/industrialsecurity
- Siemens ProductCERT Advisories: hXXps://www.siemens.com/cert/advisories