Vulnerabilities reported in Siemens COMOS, one critical

Siemens has patched multiple vulnerabilities in its COMOS industrial plant engineering software that could allow remote attackers to execute arbitrary code or infiltrate sensitive data. 

Vulnerabilities summary:

• CVE-2023-45133 (CVSS score 9.3) - An incomplete list of disallowed inputs vulnerability affecting Siemens COMOS installations with COMOS Web deployed. The flaw in the Babel JavaScript compiler component in @babel/traverse and babel-traverse libraries. When using Babel to compile attacker-crafted code with certain plugins that rely on path.evaluate() or path.evaluateTruthy() methods, arbitrary code execution can occur during compilation. Known affected plugins include @babel/plugin-transform-runtime, @babel/preset-env when using its useBuiltIns option, and various polyfill provider plugins such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, and babel-plugin-polyfill-regenerator.
• CVE-2024-0056 (CVSS score 8.7) - A cleartext transmission of sensitive information vulnerability affecting COMOS installations that use the COMOS Snapshots component. This flaw allows attackers with network access to intercept sensitive information transmitted in cleartext.

Both vulnerabilities affect COMOS versions prior to 10.4.5. 

The widespread use of affected Babel plugins in modern JavaScript development environments means many COMOS installations could be vulnerable. Organizations should review external code and compile only trusted code. 

Siemens strongly recommends that all users upgrade to COMOS version 10.4.5 or later. For organizations unable to immediately upgrade, alternative mitigations for CVE-2023-45133 include updating affected Babel packages to their latest versions: @babel/traverse@7.23.2 or @babel/traverse@8.0.0-alpha.4, @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, and updating all polyfill provider plugins to their latest versions.