Siemens Product Security Update Advisory
Overview
We have released a security update to fix vulnerabilities in Siemens products. Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-47100
SIMATIC S7-1200 CPU family V4 versions: ~ V4.7 (excluded)
CVE-2024-53649
SIPROTEC 5 – CP050 Devices Versions: up to V9.80 (excluded)
SIPROTEC 5 – CP100 Devices versions: all versions
SIPROTEC 5 – CP150 Devices versions: up to V9.80 (excluding)
SIPROTEC 5 – CP300 Devices versions: up to V9.80 (excluded)
CVE-2024-56841
Mendix LDAP versions: up to V1.1.2 (excluded)
Resolved Vulnerabilities
Cross-site request forgery vulnerability (CVE-2024-47100)
failure to restrict file system access on a web server (CVE-2024-53649)
lDAP injection vulnerability that could allow username validation to be bypassed (CVE-2024-56841)
Vulnerability Patches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
For more information on Vulnerability Patches, please refer to the Referenced Sites [1], [2], [3].
CVE-2024-47100
SIMATIC S7-1200 CPU family V4 version: V4.7 or at least
CVE-2024-53649
SIPROTEC 5 – CP050 Devices Version: V9.80 or at least
SIPROTEC 5 – CP100 Devices version: No current patch version
SIPROTEC 5 – CP150 Devices version: V9.80 at least
SIPROTEC 5 – CP300 Devices version: V9.80 or at least
CVE-2024-56841
Mendix LDAP version: V1.1.2 or at least
References
[1] SSA-717113: Cross-Site Request Forgery (CSRF) Vulnerability in SIMATIC S7-1200 CPUs before V4.7
https://cert-portal.siemens.com/productcert/html/ssa-717113.html
[2] SSA-194557: Improper Limitation of Filesystem Access through Web Server Vulnerability in SIPROTEC 5
https://cert-portal.siemens.com/productcert/html/ssa-194557.html
[3] SSA-314390: LDAP Injection Vulnerability in Mendix LDAP Module
https://cert-portal.siemens.com/productcert/html/ssa-314390.html