Siemens Publishes Out-of-Zone Advisory – 11-22-24
Today Siemens published a control system security advisory outside of their normal Cyber Tuesday (November 12th this month) tranche of advisories. This is the third out-of-zone advisory this month.
Siemens Advisory
Siemens published an advisory that discusses four vulnerabilities (two listed in CISA’s KEV catalog) in the Palo Alto Networks Virtual NGFW on Siemens RUGGEDCOM APE1808 Devices. These are third-party (duh, Palo Alto Networks) vulnerabilities. Siemens has a patch available through their customer service that mitigates the vulnerability.
The four reported vulnerabilities are:
Missing authentication for critical function - CVE-2024-0012 (listed in CISA’s Known Exploited Vulnerability Catalog),
NULL pointer dereference - CVE-2024-2550,
Path Traversal - CVE-2024-2552, and
OS command injection - CVE-2024-9474 (listed in CISA’s KEV Catalog).
The interesting thing here is that according to the Palo Alto Networks advisories for the vulnerability (see links above), their Next Generation Firewall (NGFW) is not affected by any of these vulnerabilities. Various versions of their PAN-OS are, however, affected.
DTRH – PAN in APE1808
Back in July Siemens published a similar advisory (SSA-364175) for Palo Alto Networks (PAN-OS) vulnerabilities in their RUGGEDCOM APE1808 devices. They have updated that advisory three times since then (most recently on November 12th, 2024), adding new PAN-OS vulnerabilities each time. For each of those earlier vulnerabilities, Siemens has recommended updating the Palo Alto Networks Virtual NGFW to the fixed version. That recommendation is not made here, instead Siemens has come up with a patch. Something, what is not clear, is different about this new set of vulnerabilities.