Full Report
Polarion ALM contains a misconfiguration in its default Apache HTTP Server configuration that could allow an attacker to perform host header injection attacks. Siemens has released an update for Polarion ALM and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Host Header Injection in Siemens Polarion ALM
## CVE Details
- **CVE ID:** CVE-2022-46265
- **CVSS Score:** 5.4 (Medium)
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N`
- **CWE:** CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
## Affected Systems
- **Products:** Siemens Polarion ALM
- **Versions:** All versions prior to V2304
- **Configurations:** Systems using the default Apache HTTP Server configuration provided with the installation.
## Vulnerability Description
Polarion ALM contains a misconfiguration within its default Apache HTTP Server setup. The application fails to properly validate or neutralize the HTTP `Host` header provided by the client. An attacker can manipulate this header to inject arbitrary domain names. Because the application may reflect this header in generated links (such as password reset emails or page redirects), it can be used to facilitate web-based attacks.
## Exploitation
- **Status:** PoC Available (Exploit code maturity is "Functional" per CVSS `E:P`)
- **Complexity:** Low
- **Attack Vector:** Network
- **User Interaction:** Required (The vulnerability typically requires a user to click a rogue link generated by the server using the injected header).
## Impact
- **Confidentiality:** Low (Potential for credential theft via phishing/redirection)
- **Integrity:** Low (Manipulation of URLs and redirection targets)
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating Polarion ALM to the latest version to resolve this misconfiguration.
- **Polarion ALM V2304** or later: Contains the fix for this vulnerability.
### Workarounds
The advisory does not list a specific software-level workaround. However, Siemens suggests:
- Applying general security measures to protect network access.
- Configuring the environment according to Siemens' operational guidelines for Industrial Security.
- Implementing a Load Balancer or Reverse Proxy that enforces strict Host header validation before traffic reaches the Polarion ALM server.
## Detection
- **Indicators of Compromise:** Unusual "Host" values in Apache access logs that do not match the legitimate server FQDN or IP.
- **Detection Methods:** Vulnerability scanners can identify this flaw by sending a request with a modified Host header and checking if the application reflects that value in the Response Header (e.g., `Location`) or the Response Body.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-792594[.]pdf
- **Siemens Industrial Security Home:** hxxps://www[.]siemens[.]com/industrialsecurity
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories