CVE-2024-54092

Summary

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.

Affected Software

VendorProductVersion RangeStatus
SiemensIndustrial Edge Device Kit - arm64 V1.170 < *affected
SiemensIndustrial Edge Device Kit - arm64 V1.180 < *affected
SiemensIndustrial Edge Device Kit - arm64 V1.190 < *affected
SiemensIndustrial Edge Device Kit - arm64 V1.200 < V1.20.2-1affected
SiemensIndustrial Edge Device Kit - arm64 V1.210 < V1.21.1-1affected
SiemensIndustrial Edge Device Kit - x86-64 V1.170 < *affected
SiemensIndustrial Edge Device Kit - x86-64 V1.180 < *affected
SiemensIndustrial Edge Device Kit - x86-64 V1.190 < *affected
SiemensIndustrial Edge Device Kit - x86-64 V1.200 < V1.20.2-1affected
SiemensIndustrial Edge Device Kit - x86-64 V1.210 < V1.21.1-1affected
SiemensIndustrial Edge Own Device (IEOD)0 < V1.21.1-1-aaffected
SiemensIndustrial Edge Virtual Device0 < V1.21.1-1-aaffected
SiemensSCALANCE LPE94130 < V2.1affected
SiemensSIMATIC IPC BX-39A Industrial Edge Device0 < V3.0affected
SiemensSIMATIC IPC BX-59A Industrial Edge Device0 < V3.0affected
SiemensSIMATIC IPC127E Industrial Edge Device0 < V3.0affected
SiemensSIMATIC IPC227E Industrial Edge Device0 < V3.0affected
SiemensSIMATIC IPC427E Industrial Edge Device0 < V3.0affected
SiemensSIMATIC IPC847E Industrial Edge Device0 < V3.0affected

Weaknesses

  • CWE-1390: CWE-1390: Weak Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References