Full Report
Desigo CC deployments that use Installed Client are impacted by an information disclosure vulnerability which could result in information leak from the Desigo CC server. The other Desigo CC client options, Windows App Client and Flex Client, are not affected by this vulnerability. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Information Disclosure in Desigo CC Installed Client Leading to Possible SQL Injection
## CVE Details
- CVE ID: CVE-2024-23815
- CVSS Score: 7.5 (High) [CVSS v3.1] / 8.7 (Critical) [CVSS v4.0]
- CWE: CWE-306: Missing Authentication for Critical Function
## Affected Systems
- Products: Desigo CC
- Versions: All versions (if access from Installed Clients to Desigo CC server is allowed)
- Configurations: Deployed with the **Installed Client** option enabled and accessible. **Windows App Client** and **Flex Client** options are **NOT** affected.
## Vulnerability Description
The affected Desigo CC server application fails to properly authenticate specific requests originating from the 'Installed Client'. An unauthenticated remote attacker, through modification of the client binary, could exploit this flaw to execute arbitrary SQL queries against the Desigo CC server database via the event port (default: 4998/tcp). This results in an information disclosure vulnerability.
## Exploitation
- Status: Possible exploitation path identified; PoC or active exploitation status not explicitly detailed, but the vulnerability allows for unauthenticated SQL injection.
- Complexity: Low (AC:L severity metric)
- Attack Vector: Network (AV:N) if external access is permitted, or Adjacent (AV:A) if exploitation requires being within a "highly protected zone" for an alternative impact scoring.
## Impact
- Confidentiality: High (Information Leakage via SQL Injection)
- Integrity: Not explicitly detailed as the primary vector, but SQL Injection generally implies potential integrity impact as well (CVSS v3.1 vector includes I:N, suggesting only confidentiality was scored, but SQLi capability exists).
- Availability: Not explicitly detailed (A:N in v3.1 vector).
## Remediation
### Patches
No specific patch version numbers are provided detailing the fix in this summary. Users must consult the full Siemens advisory SSA-523418 for updated product versions containing the fix.
### Workarounds
The following countermeasures must be applied to affected Desigo CC servers:
1. **Disable support for Installed Clients** on the Desigo CC server.
2. **Restrict network access** to the Desigo CC server's event port (default: **4998/tcp**).
## Detection
- Exploitation involves communication over the event port (default: 4998/tcp).
- Detection should focus on monitoring traffic directed to TCP port 4998 on the Desigo CC server for malformed or unauthorized SQL-like commands originating from client sources.
- Follow general Siemens security recommendations provided in the advisory for protected IT environments.
## References
- Vendor Advisories: SSA-523418