Siemens has issued a security advisory warning of an unlocked bootloader vulnerability in a specific range of SINAMICS S200 devices. The vulnerability, tracked as CVE-2024-56336, could allow an attacker to download untrusted firmware that could damage or compromise the device.
Affected devices include all versions of SINAMICS S200 with serial numbers beginning with SZVS8, SZVS9, SZVS0, or SZVSN and an FS number of 02.
“The affected device contains an unlocked bootloader,” Siemens states in the advisory. “This security oversight enables attackers to inject malicious code, or install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.”
Siemens recommends that customers follow the general security recommendations and apply defense in depth. The company also recommends contacting local customer service for further support.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals.
The vulnerability has been assigned a CVSS v3.1 base score of 9.8. Siemens has not released a firmware update to address the vulnerability.
Customers are urged to follow the recommendations in the security advisory to protect their devices from attack.
Related Posts:
- Xiaomi Limits HyperOS Bootloader Unlocking to One Device Per Account
- GRUB2 Bootloader Vulnerabilities Expose Millions of Systems to Attacks
- CVE-2024-7344: Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
- Multiple Vulnerabilities in Barebox Bootloader Expose Embedded Systems to Code Execution Risks
- Spring Framework Multiple Security Vulnerability
