Siemens reports multiple critical vulnerabilities in SENTRON 7KT Data Manager, won't be patched
Take action: If you are running Siemens Sentron 7KT PAC1260 Data Manager make sure running on systems isolated from the internet and accessible only from trusted networks. Warn all operators to be extremely careful with phishing and malware, ideally never connect to the Siemens device from a computer that is used for checking email or any internet connectivity. Finally, plan to replace the devices, as they won't be getting a patch from Siemens.
Learn More
Siemens has disclosed multiple security vulnerabilities affecting all versions of the SENTRON 7KT PAC1260 Data Manager. According to the advisory, Siemens will not provide software fixes for the affected products and instead recommends replacing them with the newer SENTRON 7KT PAC1261 Data Manager model.
Vulnerability summary
- CVE-2024-41794 (CVSS score 10.0): The devices contain hardcoded credentials for remote access to the operating system with root privileges, allowing unauthenticated attackers full device access if they possess these credentials and if SSH is enabled.
- CVE-2024-41788 (CVSS score 9.4): The web interface fails to sanitize input parameters in specific GET requests, allowing authenticated remote attackers to execute arbitrary code with root privileges.
- CVE-2024-41789 (CVSS score 9.4): The web interface does not sanitize the language parameter in specific POST requests, enabling authenticated remote attackers to execute arbitrary code with root privileges.
- CVE-2024-41790 (CVSS score 9.4): The web interface fails to sanitize the region parameter in specific POST requests, permitting authenticated remote attackers to execute arbitrary code with root privileges.
- CVE-2024-41792 (CVSS score 9.2): A path traversal vulnerability in the web interface allows unauthenticated attackers to access arbitrary files on the device with root privileges.
- CVE-2024-41793 (CVSS score 7.7): The web interface includes an endpoint that enables the SSH service without authentication, allowing unauthenticated remote attackers to enable remote access to the device.
- CVE-2024-41791 (CVSS score 6.9): The web interface does not authenticate report creation requests, allowing unauthenticated remote attackers to read or clear log files, reset the device, or change date and time settings.
- CVE-2024-41795 (CVSS score 6.9): The web interface is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to change device settings by tricking administrators into clicking malicious links.
- CVE-2024-41796 (CVSS score 6.9): The web interface allows password changes without verifying the current password, which combined with CSRF could allow attackers to set administrator passwords to values they control.
Siemens has stated that no software fixes will be provided for the affected SENTRON 7KT PAC1260 Data Manager. Instead, customers are advised to:
- Replace vulnerable devices with the new SENTRON 7KT PAC1261 Data Manager and update it to the latest available firmware version.
- Implement the following mitigations to reduce risk:
- For CVE-2024-41795 and CVE-2024-41796: Do not access links from untrusted sources while logged in to affected devices.
- Follow Siemens' operational guidelines for Industrial Security.
- Protect network access to devices with appropriate mechanisms.
- Configure the environment according to product manuals.
The new hardware model 7KT1261 is available at https://mall.industry.siemens.com/mall/en/ww/Catalog/Product/?mlfb=7kt1261.
