Overview
An update has been made available to fix vulnerabilities in Siemens products. Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-38876
- Omnivise T3000 Application Server versions: ~ R9.2 (inclusive)
- Omnivise T3000 Domain Controller version: ~ R9.2 (inclusive)
- Omnivise T3000 Product Data Management (PDM) version: ~ R9.2 (inclusive)
- Omnivise T3000 Terminal Server version: ~ R9.2 (included)
- Omnivise T3000 Thin Client version: ~ R9.2 (included)
- Omnivise T3000 Whitelisting Server version: ~ R9.2 (included)
CVE-2024-38877
- Omnivise T3000 Application Server all versions
- Omnivise T3000 Domain Controller all versions
- Omnivise T3000 Network Intrusion Detection System (NIDS) all versions
- Omnivise T3000 Product Data Management (PDM) all versions
- Omnivise T3000 Security Server all versions
- Omnivise T3000 Terminal Server all versions
- Omnivise T3000 Thin Client all versions
- Omnivise T3000 Whitelisting Server all versions
CVE-2024-38878, CVE-2024-38879
- Omnivise T3000 Application Server all versions
Resolved Vulnerabilities
Regular execution of user-modifiable code as a privileged user could allow attackers to execute arbitrary code with elevated privileges (CVE-2024-38876)
Vulnerability that could allow an attacker with remote shell access or physical access to retrieve credentials, resulting in confidentiality loss (CVE-2024-38877)
API endpoints are vulnerable to path traversal, which could allow an authenticated attacker to download arbitrary files from the file system (CVE-2024-38878)
Vulnerability exposing the port of an internal application on a public network interface, which could allow an attacker to bypass authentication and gain direct access to the exposed application (CVE-2024-38879)
Vulnerability Patches
Vulnerability Patches were made available in the August 02, 2024 update as follows Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-38876
Omnivise T3000 Application Server
- System software version: 22.173.20
- Application software version: 09.0.19.06
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Domain Controller
- System software version: 22.173.20
- System software version: 22.173.52
Omnivise T3000 Product Data Management (PDM)
- System software version: 22.173.20
- System software version: 22.173.52
Omnivise T3000 Terminal Server
- System software version: 22.173.20
- System software version: 22.173.52
- find download links in the latest Omnivise T3000 Technical News
Omnivise T3000 Thin Client
- System software version: 22.173.52
Omnivise T3000 Whitelisting Server
- System software version: 22.173.20
- System software version: 22.173.52
CVE-2024-38877
Omnivise T3000 Application Server
- System software version: 22.173.52
- Application software version: 09.0.19.06
- See Omnivise T3000 Technical News 2024-089 for mitigations
Omnivise T3000 Domain Controller
- System software version: 22.173.52
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Network Intrusion Detection System (NIDS)
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Product Data Management (PDM)
- System software version: 22.173.52
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Security Server
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Terminal Server
- System software version: 22.173.52
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Thin Client
- System software version: 22.173.52
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Omnivise T3000 Whitelisting Server
- System software version: 22.173.52
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
CVE-2024-38878, CVE-2024-38879
Omnivise T3000 Application Server
- System software version: 22.173.52
- Application software version: 09.0.19.06
- See Omnivise T3000 Technical News 2024-089 to apply mitigations
Referenced Sites
[1] SSA-857368: Multiple Vulnerabilities in Omnivise T3000
https://cert-portal.siemens.com/productcert/html/ssa-857368.html#affected-products-section
Article Link: Siemens Family Security Update Advisory – ASEC