Siemens Family Security Update Advisory

Overview

An update has been made available to fix vulnerabilities in Siemens products. Users of affected products are advised to update to the latest version.

 

Affected Products

 

CVE-2024-38876

  • Omnivise T3000 Application Server versions: ~ R9.2 (inclusive)
  • Omnivise T3000 Domain Controller version: ~ R9.2 (inclusive)
  • Omnivise T3000 Product Data Management (PDM) version: ~ R9.2 (inclusive)
  • Omnivise T3000 Terminal Server version: ~ R9.2 (included)
  • Omnivise T3000 Thin Client version: ~ R9.2 (included)
  • Omnivise T3000 Whitelisting Server version: ~ R9.2 (included)

 

CVE-2024-38877

  • Omnivise T3000 Application Server all versions
  • Omnivise T3000 Domain Controller all versions
  • Omnivise T3000 Network Intrusion Detection System (NIDS) all versions
  • Omnivise T3000 Product Data Management (PDM) all versions
  • Omnivise T3000 Security Server all versions
  • Omnivise T3000 Terminal Server all versions
  • Omnivise T3000 Thin Client all versions
  • Omnivise T3000 Whitelisting Server all versions

 

CVE-2024-38878, CVE-2024-38879

  • Omnivise T3000 Application Server all versions

 

 

Resolved Vulnerabilities

 

Regular execution of user-modifiable code as a privileged user could allow attackers to execute arbitrary code with elevated privileges (CVE-2024-38876)
Vulnerability that could allow an attacker with remote shell access or physical access to retrieve credentials, resulting in confidentiality loss (CVE-2024-38877)
API endpoints are vulnerable to path traversal, which could allow an authenticated attacker to download arbitrary files from the file system (CVE-2024-38878)
Vulnerability exposing the port of an internal application on a public network interface, which could allow an attacker to bypass authentication and gain direct access to the exposed application (CVE-2024-38879)

 

Vulnerability Patches

Vulnerability Patches were made available in the August 02, 2024 update as follows Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-38876

Omnivise T3000 Application Server

  • System software version: 22.173.20
  • Application software version: 09.0.19.06
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Domain Controller

  • System software version: 22.173.20
  • System software version: 22.173.52

 

Omnivise T3000 Product Data Management (PDM)

  • System software version: 22.173.20
  • System software version: 22.173.52

 

Omnivise T3000 Terminal Server

  • System software version: 22.173.20
  • System software version: 22.173.52
  • find download links in the latest Omnivise T3000 Technical News

 

Omnivise T3000 Thin Client

  • System software version: 22.173.52

 

Omnivise T3000 Whitelisting Server

  • System software version: 22.173.20
  • System software version: 22.173.52

 

CVE-2024-38877

Omnivise T3000 Application Server

  • System software version: 22.173.52
  • Application software version: 09.0.19.06
  • See Omnivise T3000 Technical News 2024-089 for mitigations

 

Omnivise T3000 Domain Controller

  • System software version: 22.173.52
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Network Intrusion Detection System (NIDS)

  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Product Data Management (PDM)

  • System software version: 22.173.52
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Security Server

  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Terminal Server

  • System software version: 22.173.52
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Thin Client

  • System software version: 22.173.52
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Omnivise T3000 Whitelisting Server

  • System software version: 22.173.52
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

CVE-2024-38878, CVE-2024-38879

Omnivise T3000 Application Server

  • System software version: 22.173.52
  • Application software version: 09.0.19.06
  • See Omnivise T3000 Technical News 2024-089 to apply mitigations

 

Referenced Sites

[1] SSA-857368: Multiple Vulnerabilities in Omnivise T3000

https://cert-portal.siemens.com/productcert/html/ssa-857368.html#affected-products-section

Article Link: Siemens Family Security Update Advisory – ASEC