What are the critical vulnerabilities reported by Siemens in Sinteso and Cerberus PRO EN Fire Protection Systems?

Siemens reported critical vulnerabilities in Sinteso EN and Cerberus PRO EN Fire Protection Systems that could lead to arbitrary code execution or a denial-of-service (DoS) condition if exploited. The vulnerabilities identified include CVE-2024-22039 (CVSS score 10.0) related to a buffer overflow, CVE-2024-22040 (CVSS score 8.7) related to an out-of-bounds read, and CVE-2024-22041 (CVSS score 8.7) related to improper restrictions of operations within the bounds of a memory buffer.

Which Siemens fire protection products are affected by these vulnerabilities?

Affected products include the Cerberus PRO EN Engineering Tool, Cerberus PRO EN Fire Panel FC72x, Cerberus PRO EN X200 and X300 Cloud Distribution, Sinteso FS20 EN Engineering Tool, Sinteso FS20 EN Fire Panel FC20, Sinteso FS20 EN X200 and X300 Cloud Distribution, and Sinteso Mobile.

What recommendations has Siemens provided for mitigating these vulnerabilities?

Siemens recommended updating affected products to newer versions or specific releases where available to mitigate the vulnerabilities. Recommendations include updating Sinteso Mobile to V3.0.0 or later for CVE-2024-22039, and various updates for other affected products like the Cerberus PRO EN X200/X300 Cloud Distribution and Sinteso FS20 EN Engineering Tool to specified versions that address the identified vulnerabilities.

Advisory

Siemens fixes critical issue in Sintesoand Cerberus Fire Protection Systems

Q: Are there any general security measures Siemens advises for the affected fire protection systems?

Siemens advises on general security measures such as protecting network access to devices and operating them in a protected IT environment to mitigate the risks associated with these vulnerabilities.

published: March 20, 2024

Take action: A very big list of products to patch. With a very high severity flaws, so don't delay.

Learn More

Siemens is reporting critical vulnerabilities in Sinteso EN and Cerberus PRO EN Fire Protection Systems. The vulnerabilities, if successfully exploited by an unauthenticated attacker with access to the fire protection system network, could lead to arbitrary code execution or create a denial-of-service (DoS) condition on the affected products.

Affected products include versions of:

Cerberus PRO EN Engineering Tool,
Cerberus PRO EN Fire Panel FC72x,
Cerberus PRO EN X200 and X300 Cloud Distribution,
Sinteso FS20 EN Engineering Tool,
Sinteso FS20 EN Fire Panel FC20,
Sinteso FS20 EN X200 and X300 Cloud Distribution,
Sinteso Mobile.

The vulnerabilities identified are:

CVE-2024-22039 (CVSS score 10.0): A buffer overflow vulnerability in the network communication library related to the handling of certain X.509 certificate attributes, which could allow remote code execution with root privileges.
CVE-2024-22040 (CVSS score 8.7): An out-of-bounds read vulnerability that could result in a buffer overread, potentially crashing the network service.
CVE-2024-22041 (CVSS score 8.7): An improper restriction of operations within the bounds of a memory buffer, also potentially crashing the network service.

Siemens has recommended specific updates and mitigations for affected products, including updating to newer versions of the software where available.

Sinteso Mobile (CVE-2024-22039): Update to V3.0.0 or later version
Sinteso Mobile (CVE-2024-22040, CVE-2024-22041): Currently no fix is planned
Cerberus PRO EN X200 Cloud Distribution and Sinteso FS20 EN X200 Cloud Distribution (CVE-2024-22039): Update to V4.0.5016 or later version
Cerberus PRO EN X200 Cloud Distribution and Sinteso FS20 EN X200 Cloud Distribution (CVE-2024-22040, CVE-2024-22041): Update to V4.3.5618 or later version
Cerberus PRO EN X300 Cloud Distribution and Sinteso FS20 EN X300 Cloud Distribution (CVE-2024-22040, CVE-2024-22041): Update to V4.3.5617 or later version
Cerberus PRO EN X300 Cloud Distribution and Sinteso FS20 EN X300 Cloud Distribution (CVE-2024-22039): Update to V4.2.5015 or later version
Cerberus PRO EN Engineering Tool and Cerberus PRO EN Fire Panel FC72x (CVE-2024-22039): Update to IP8 or later version
Cerberus PRO EN Engineering Tool and Sinteso FS20 EN Engineering Tool (CVE-2024-22040, CVE-2024-22041): Currently no fix is available
Sinteso FS20 EN Engineering Tool and Sinteso FS20 EN Fire Panel FC20 (CVE-2024-22039): Update to MP8 or later version
Sinteso FS20 EN Fire Panel FC20 (CVE-2024-22040, CVE-2024-22041): Update to MP8 SR4 or later version
Cerberus PRO EN Fire Panel FC72x (CVE-2024-22040, CVE-2024-22041): Update to IP8 SR4 or later version

Siemens also advises on general security measures such as protecting network access to devices and operating them in a protected IT environment.

Siemens fixes critical issue in Sintesoand Cerberus Fire Protection Systems

Read More
Critical authentication bypass flaw reported in Instantel Micromate …
Critical vulnerabilities reported in EG4 electronics solar inverters
Critical flaws reported in Planet Technology's WGS-804HPT industrial …
Critical vulnerabilities reported in Axis Communications Camera management …
Nozomi Networks Labs reports critical flaws in Advantech's …