CVE-2024-22039 (CVSS 10): Siemens Fire Protection Systems Vulnerable to Remote Attacks

A serious security alert from Siemens ProductCERT reveals that multiple products within their widely used Sinteso EN and Cerberus PRO EN fire protection systems harbor critical vulnerabilities. These flaws could be exploited by attackers who gain access to the fire protection system’s network to either execute their code on the systems or deliberately crash them, potentially hindering emergency responses.

Key Vulnerabilities and Risks

The identified security flaws tracked as CVE-2024-22039, CVE-2024-22040, and CVE-2024-22041, stem from inadequate validation of network communications. Successful exploitation requires the attacker to gain access to the fire protection system’s internal network:

• CVE-2024-22039 (CVSS v4.0: 10): Unchecked X.509 certificate attributes could lead to a buffer overflow, potentially allowing remote attackers to run code with root privileges on the system.
• CVE-2024-22040 (CVSS v4.0: 8.7): Improper HMAC validation creates the potential for a buffer overread, leading to denial-of-service (DoS) attacks.
• CVE-2024-22041 (CVSS v4.0: 8.7): Issues with memory buffer handling during X.509 certificate parsing could also enable attackers to cause system crashes (DoS).

Affected Products and Impacts

The vulnerabilities impact a range of components within the Sinteso EN and Cerberus PRO EN systems, including:

• Cerberus PRO EN Engineering Tool
• Sinteso FS20 EN Engineering Tool
• Sinteso Mobile app

The severity of the impact varies depending on the specific product.

Call to Action

Siemens understands the gravity of the situation and has taken action. For a number of the affected products, updated versions have been released to patch the vulnerabilities. It’s critical that organizations implement these updates immediately. Where patches aren’t yet available, Siemens has provided detailed workaround procedures within their security advisory to reduce the risk.

The Critical Role of Fire Safety Systems

This advisory highlights the growing risk cyberattacks pose to even specialized systems like fire protection. It’s paramount that organizations diligently review the Siemens security bulletin and take the necessary steps to secure their systems. Lives and property depend on the reliable operation of these protection systems.