Siemens Issues Critical Security Advisory for User Management Component (UMC) – CVE-2024-33698
Siemens, a global industrial automation giant, has disclosed a critical heap-based buffer overflow vulnerability in its User Management Component (UMC). The vulnerability, identified as CVE-2024-33698 and assigned a CVSS score of 9.3, could allow an unauthenticated remote attacker to execute arbitrary code on affected systems, potentially leading to severe consequences.
The UMC is an integral component in several Siemens products, including the SIMATIC PCS neo distributed control system, SINEC NMS network management system, and the Totally Integrated Automation Portal (TIA Portal). These systems are widely used in critical infrastructure and industrial environments, making the vulnerability particularly concerning.
The heap-based buffer overflow flaw allows an attacker to exploit the UMC’s memory management, potentially overwriting critical data or injecting malicious code. Successful exploitation could grant the attacker complete control over the affected system, enabling them to steal sensitive information, disrupt operations, or even cause physical damage.
The following Siemens products are confirmed to be vulnerable to CVE-2024-33698:
- SIMATIC Information Server: Currently, no fix is available. Siemens recommends specific workarounds and mitigations.
- SIMATIC PCS neo: Users are advised to follow Siemens’ mitigations while awaiting updates.
- SINEC NMS: All versions are affected. Users should update UMC to V2.11.6 or contact Siemens customer support for patch information.
- Totally Integrated Automation Portal (TIA Portal): Siemens has provided mitigation recommendations while working on updates.
While Siemens is working on patches for many affected products, the company has recommended the following mitigations to reduce the risk of exploitation:
- Filter network traffic: Filter ports 4002 and 4004 to only allow connections between machines that are part of the UMC network. External firewalls should be used to enforce this rule.
- Disable unused services: If no RT server machines are used, port 4004 can be filtered entirely, minimizing exposure to this vulnerability.