NCSC NL | Beveiligingsadviezen

Beveilingsadvies; NCSC-2025-0106 [1.0.0]

Beveiligingsadvies: NCSC-2025-0106 [1.0.0]
Publicatie: 08-04-2025 15:57 (Europe/Amsterdam)
Prioriteit: Normaal
Betreft: Kwetsbaarheden verholpen in Siemens producten

Kenmerken

Improper Authentication
Use of a Cryptographic Primitive with a Risky Implementation
Unchecked Input for Loop Condition
Dependency on Vulnerable Third-Party Component
Race Condition Enabling Link Following
Unprotected Alternate Channel
Incorrect Provision of Specified Functionality
Excessive Iteration
Time-of-check Time-of-use (TOCTOU) Race Condition
Expected Behavior Violation
Improper Check for Unusual or Exceptional Conditions
Cleartext Transmission of Sensitive Information
Improper Validation of Integrity Check Value
Missing Cryptographic Step
Improper Resource Shutdown or Release
Improper Restriction of Operations within the Bounds of a Memory Buffer
Inefficient Regular Expression Complexity
Use After Free
NULL Pointer Dereference
Use of a Broken or Risky Cryptographic Algorithm
Uncontrolled Resource Consumption
Out-of-bounds Write
Exposure of Sensitive Information to an Unauthorized Actor
Heap-based Buffer Overflow
Improper Input Validation
Weak Authentication
Observable Response Discrepancy
External Control of System or Configuration Setting
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Isolation or Compartmentalization
Improper Control of Generation of Code ('Code Injection')
Unverified Password Change
Use of Hard-coded Credentials
Improper Privilege Management
Improper Certificate Validation

Omschrijving

Siemens heeft kwetsbaarheden verholpen in diverse producten als Industrial Edge Devices, Mendix, SENTRON, SIDIS, SIMATIC, SIPLUS,Insights Hub Private Cloud, Siemens License Server en Solid Edge.

De kwetsbaarheden stellen een kwaadwillende mogelijk in staat aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:

Denial-of-Service (DoS)
Manipulatie van gegevens
Omzeilen van een beveiligingsmaatregel
Omzeilen van authenticatie
(Remote) code execution (root/admin rechten)
(Remote) code execution (Gebruikersrechten)
Toegang tot systeemgegevens
Toegang tot gevoelige gegevens
Spoofing

De kwaadwillende heeft hiervoor toegang nodig tot de productieomgeving. Het is goed gebruik een dergelijke omgeving niet publiek toegankelijk te hebben.

Oplossingen

Siemens heeft beveiligingsupdates uitgebracht om de kwetsbaarheden te verhelpen. Voor de kwetsbaarheden waar nog geen updates voor zijn, heeft Siemens mitigerende maatregelen gepubliceerd om de risico's zoveel als mogelijk te beperken. Zie de bijgevoegde referenties voor meer informatie.

Referenties

CVE's

CVE-2022-21658 - CVSS (v3) 7.3
CVE-2023-2975 - CVSS (v3) 7.8
CVE-2023-3446 - CVSS (v3) 7.8
CVE-2023-3817 - CVSS (v3) 7.8
CVE-2023-4807 - CVSS (v3) 7.8
CVE-2023-5363 - CVSS (v3) 7.5
CVE-2023-5678
CVE-2023-7104 - CVSS (v3) 7.3
CVE-2024-0056 - CVSS (v3) 8.7
CVE-2024-0232
CVE-2024-0727 - CVSS (v3) 7.5
CVE-2024-5535 - CVSS (v3) 9.1
CVE-2024-9143 - CVSS (v4) 6.9
CVE-2024-21319
CVE-2024-23814 - CVSS (v4) 6.9
CVE-2024-30105 - CVSS (v3) 7.5
CVE-2024-41788 - CVSS (v4) 9.4
CVE-2024-41789 - CVSS (v4) 9.4
CVE-2024-41790 - CVSS (v4) 9.4
CVE-2024-41791 - CVSS (v4) 6.9
CVE-2024-41792 - CVSS (v4) 9.2
CVE-2024-41793 - CVSS (v4) 7.7
CVE-2024-41794 - CVSS (v4) 10.0
CVE-2024-41795 - CVSS (v4) 6.9
CVE-2024-41796 - CVSS (v4) 6.9
CVE-2024-54091 - CVSS (v4) 8.7
CVE-2024-54092 - CVSS (v4) 9.3
CVE-2025-30280 - CVSS (v4) 6.9
CVE-2025-1097 - CVSS (v3) 8.8
CVE-2025-24514 - CVSS (v3) 8.8
CVE-2025-24513 - CVSS (v3) 4.8
CVE-2025-1974 - CVSS (v3) 9.8
CVE-2025-1098 - CVSS (v3) 8.8
CVE-2025-29999 - CVSS (v4) 7.3
CVE-2025-30000 - CVSS (v4) 5.4

Producten

Siemens

Industrial Edge Own Device (IEOD)

Industrial Edge Device Kit - x86-64 V1.21

Industrial Edge Device Kit - x86-64 V1.20

Industrial Edge Device Kit - x86-64 V1.19

Industrial Edge Device Kit - x86-64 V1.18

Industrial Edge Device Kit - x86-64 V1.17

Industrial Edge Device Kit - arm64 V1.21

Industrial Edge Device Kit - arm64 V1.20

Industrial Edge Device Kit - arm64 V1.19

Industrial Edge Device Kit - arm64 V1.18

Industrial Edge Device Kit - arm64 V1.17

SENTRON 7KT PAC1260 Data Manager

License Server

Siemens License Server (SLS)

Solid Edge

Solid_Edge_Se2024

SINEC Network Management System

Siemens Simatic S7-1500 Tm Mfp

Siemens Telecontrol Server Basic

Solid Edge SE2024

Solid Edge SE2025

SIMATIC CFU DIQ

SIMATIC CFU PA

SIMATIC ET 200AL IM 157-1 PN

SIMATIC ET 200M IM 153-4 PN IO HF

SIMATIC ET 200M IM 153-4 PN IO ST

SIMATIC ET 200MP IM 155-5 PN BA

SIMATIC ET 200MP IM 155-5 PN HF

SIMATIC ET 200MP IM 155-5 PN ST

SIMATIC ET 200S IM 151-3 PN FO

SIMATIC ET 200S IM 151-3 PN HF

SIMATIC ET 200S IM 151-3 PN HS

SIMATIC ET 200S IM 151-3 PN ST

SIMATIC ET 200S IM 151-8 PN/DP CPU

SIMATIC ET 200S IM 151-8F PN/DP CPU

SIMATIC ET 200SP CPU 1510SP F-1 PN

SIMATIC ET 200SP CPU 1510SP-1 PN

SIMATIC ET 200SP CPU 1512SP F-1 PN

SIMATIC ET 200SP CPU 1512SP-1 PN

SIMATIC ET 200SP IM 155-6 MF HF

SIMATIC ET 200SP IM 155-6 PN BA

SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)

SIMATIC ET 200SP IM 155-6 PN HF

SIMATIC ET 200SP IM 155-6 PN HS

SIMATIC ET 200SP IM 155-6 PN ST

SIDOOR ATD430W

SIDOOR ATE530G COATED

SIDOOR ATE530S COATED

SIMOCODE pro V Ethernet/IP (incl. SIPLUS variants)

SIMOCODE pro V PROFINET

SINUMERIK 840D sl

SIWAREX WP231

SIWAREX WP241

SIWAREX WP251

SIWAREX WP521 ST

SIWAREX WP522 ST

SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants)

SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants)

SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants)

SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants)

SIPLUS ET 200M IM 153-4 PN IO HF

SIPLUS ET 200M IM 153-4 PN IO ST

SIPLUS ET 200MP IM 155-5 PN HF

SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL

SIPLUS ET 200MP IM 155-5 PN ST

SIPLUS ET 200MP IM 155-5 PN ST TX RAIL

SIPLUS ET 200S IM 151-8 PN/DP CPU

SIPLUS ET 200S IM 151-8F PN/DP CPU

SIPLUS ET 200S IM151-3 PN HF

SIPLUS ET 200S IM151-3 PN ST

SIPLUS ET 200SP CPU 1512SP F-1 PN

SIPLUS ET 200SP IM 155-6 PN HF

SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL

SIPLUS ET 200SP IM 155-6 PN HF TX RAIL

SIPLUS ET 200SP IM 155-6 PN ST

SIPLUS ET 200SP IM 155-6 PN ST BA

SIPLUS ET 200SP IM 155-6 PN ST BA TX RAIL

SIPLUS ET 200SP IM 155-6 PN ST TX RAIL

SIPLUS HCS4200 CIM4210

Mendix Runtime

Mendix Runtime V10

Mendix Runtime V10.12

Mendix Runtime V10.18

Mendix Runtime V10.6

Mendix Runtime V8

Mendix Runtime V9

Disclaimer

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.