Full Report
SIMATIC CN 4100 is vulnerable to use of hard coded credentials including root user and contains an unrestricted USB port that could be misused for insecure boot. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Hardcoded Credentials and Insecure USB Access in SIMATIC CN 4100
## CVE Details
- CVE ID: CVE-2024-32740, CVE-2024-32741, CVE-2024-32742
- CVSS Score: 10.0 (CVSS v3.1) / 10.0 (CVSS v4.0) for CVE-2024-32741 (Highest)
- CWE: CWE-798 (Use of Hard-coded Credentials), CWE-259 (Use of Hard-coded Password), CWE-1326 (Missing Immutable Root of Trust in Hardware)
## Affected Systems
- Products: SIMATIC CN 4100
- Versions: All versions prior to V3.0
- Configurations: N/A
## Vulnerability Description
This advisory covers three related vulnerabilities in the SIMATIC CN 4100 communication node:
1. **Hardcoded Credentials (CVE-2024-32740):** The device contains undocumented users and credentials that an attacker can misuse to achieve local or network compromise. (CWE-798).
2. **Hardcoded Root Password (CVE-2024-32741):** The device contains a hardcoded password for the privileged system user `root` and the boot loader `GRUB`. Cracking this hash grants an attacker root access. (CWE-259).
3. **Unrestricted USB Port (CVE-2024-32742):** The device features an unrestricted physical USB port. An attacker with local access can misuse this port to boot an alternative operating system, gaining complete read/write access to the device's filesystem. (CWE-1326).
## Exploitation
- Status: Exploit Proof-of-Concept (PoC) information is relevant, as all CVEs are documented with an Exploitability subscore indicating known exploit maturity (E:P).
- Complexity: Low proximity for network-based credential exploitation; Local/Physical for USB misuse.
- Attack Vector: Network (CVE-2024-32740, CVE-2024-32741); Physical (CVE-2024-32742).
## Impact
The combination of these vulnerabilities allows for severe compromise:
- Confidentiality: High (Root access allows data exfiltration)
- Integrity: High (Root access allows modification of system files/configuration)
- Availability: High (Root/filesystem access allows denial of service or system modification)
## Remediation
### Patches
- The recommended fix is to **update to version V3.0 or later** for the SIMATIC CN 4100.
- Patch Availability Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109814144/
### Workarounds
- Siemens recommends following general security guidelines, including **protecting network access** to the devices with appropriate mechanisms.
- Configure the environment according to Siemens' **operational guidelines for Industrial Security**.
## Detection
- Detection focuses on identifying unauthorized activity related to unknown accounts or changes to boot processes.
- Detection methods should include continuous monitoring for logins using default/undocumented user accounts or unexpected network connections originating from the device. Further product-specific detection logic may be found in the vendor advisory.
## References
- Vendor Advisory: SSA-273900
- Siemens Security Advisories Portal: hxxps://www.siemens.com/cert/advisories
- Operational Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens Industrial Security Home: hxxps://www.siemens.com/industrialsecurity