Siemens reports critical flaws in OPC UA
Take action: This is a complicated advisory. The flaw exists in the protocol implemented in various SIMATIC and other Siemens products, some of which won't even receive patches. First, make sure all devices are isolated from the internet and accessible only from trusted networks. Then review the advisory in detail and make your risk assessment. Ideally, you should patch your systems if possible. Otherwise, keep them isolated and note the risk for management - you can't really fix it.
Learn More
Siemens is reporting two critical security vulnerabilities affecting their OPC UA standard stack implementation across various industrial control products. These vulnerabilities allow attackers to bypass application authentication and gain unauthorized access to data managed by the server.
Siemens OPC UA (Open Platform Communications Unified Architecture) is a communication standard that enables secure and reliable data exchange between industrial devices and systems.
Vulnerabilities summary
- CVE-2024-42512 (CVSS score 9.1): Observable Timing Discrepancy - A vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows unauthorized attackers to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.
- CVE-2024-42513 (CVSS score 9.3): Authentication Bypass by Primary Weakness - A vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows unauthorized attackers to bypass application authentication when using HTTPS endpoints.
The following Siemens products are affected:
- Industrial Edge for Machine Tools (formerly "SINUMERIK Edge"): All versions (CVE-2024-42513)
- SIMIT V11: All versions (CVE-2024-42512)
- SIMATIC BRAUMAT: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
- SIMATIC Energy Manager PRO: All versions from V7.5 up to but not including V7.5 Update 2
- SIMATIC Energy Manager PRO: All versions after V7.2 Update 6
- SIMATIC IPC DiagMonitor: All versions (CVE-2024-42513)
- SIMATIC SISTAR: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
- SIMATIC WinCC Unified V18: All versions (CVE-2024-42513)
- SIMATIC WinCC Unified V19: All versions before V19 Update 4 (CVE-2024-42513)
- SIMATIC WinCC V8.0: All versions before V8.0 Update 3 (CVE-2024-42513)
Siemens has identified specific mitigations for different products:
- SIMATIC Energy Manager PRO: Update to V7.5 Update 2 or later
- SIMATIC WinCC Unified V19: Update to V19 Update 4 or later
- SIMATIC WinCC V8.0: Update to V8.0 Update 3 or later
- SIMATIC BRAUMAT and SIMATIC SISTAR: Update to V8.1 or later
For some products, there are important notes about default configurations:
- SIMATIC WinCC Unified V18, SIMATIC WinCC Unified V19, and SIMATIC IPC DiagMonitor: The affected functionality (HTTPS endpoint in OPC UA server) is deactivated by default, so systems running with default configurations are not affected
For several products including Industrial Edge for Machine Tools, SIMATIC IPC DiagMonitor, SIMATIC Energy Manager PRO, SIMATIC WinCC Unified V18, and SIMIT V11, Siemens notes that no fix is currently available or planned.
As general security measures, Siemens recommends:
- Protecting network access to devices with appropriate mechanisms
- Operating devices in a protected IT environment configured according to Siemens' operational guidelines
- Following recommendations in the product manuals
