Full Report
The RUGGEDCOM CROSSBOW server application before V5.4 contains multiple vulnerabilities that could allow an attacker to execute arbitrary database queries via SQL injection attacks, to create a denial of service condition, or to write arbitrary files to the application’s file system. Siemens has released an update for RUGGEDCOM CROSSBOW and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Siemens RUGGEDCOM CROSSBOW
## CVE Details
- **CVE ID:** CVE-2023-37372, CVE-2023-27411, CVE-2021-31239, CVE-2022-37971, CVE-2023-37373
- **CVSS Score:** 9.8 (Critical - highest score)
- **CWE:**
- CWE-89: SQL Injection
- CWE-125: Out-of-bounds Read
- CWE-269: Improper Privilege Management
- CWE-306: Missing Authentication
## Affected Systems
- **Products:** RUGGEDCOM CROSSBOW
- **Versions:** All versions prior to V5.4
- **Configurations:** Systems utilizing the CROSSBOW server application for secure access management to Intelligent Electronic Devices (IEDs).
## Vulnerability Description
RUGGEDCOM CROSSBOW suffers from multiple security flaws ranging from critical SQL injections to improper file handling. The most severe flaw (CVE-2023-37372) allows unauthenticated remote attackers to execute arbitrary SQL queries against the server database. Additionally, the application fails to authenticate certain file write messages (CVE-2023-37373), allowing the creation of arbitrary files on the system. The advisory also addresses inherited vulnerabilities in SQLite (DoS) and Microsoft Windows Defender (Privilege Escalation) that impact the product environment.
## Exploitation
- **Status:** PoC available (Proof of Concept exists for several of the listed CVEs, though no active exploitation in the wild is confirmed in the advisory).
- **Complexity:** Low to High (Varies by CVE; SQL injections are generally Low complexity).
- **Attack Vector:** Network (Majority) and Local (CVE-2022-37971).
## Impact
- **Confidentiality:** High (Full database access via SQL injection).
- **Integrity:** High (Ability to modify database records and write arbitrary files).
- **Availability:** High (Potential for Denial of Service and data deletion).
## Remediation
### Patches
- **RUGGEDCOM CROSSBOW V5.4:** Siemens recommends updating to V5.4 or later immediately.
- **Download Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109822716/
### Workarounds
- Protect network access to devices with appropriate perimeter security (firewalls/VLANS).
- Configure the environment according to Siemens' operational guidelines for Industrial Security.
- Adhere to the NERC CIP compliance configurations recommended in the product manuals.
## Detection
- **Indicators of Compromise:**
- Unusual SQL query patterns in database logs.
- Unexpected files appearing in the CROSSBOW application directories.
- Service instability or crashes due to out-of-bounds reads.
- **Detection methods and tools:**
- Audit server logs for unauthenticated requests to file-write endpoints.
- Use Network Intrusion Detection Systems (NIDS) to flag potential SQL injection strings (e.g., `' OR 1=1`) targeting the CROSSBOW server.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-472630.html
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security