CVE-2024-54092
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Siemens | Industrial Edge Device Kit - arm64 V1.17 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - arm64 V1.18 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - arm64 V1.19 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - arm64 V1.20 | 0 < V1.20.2-1 | affected |
| Siemens | Industrial Edge Device Kit - arm64 V1.21 | 0 < V1.21.1-1 | affected |
| Siemens | Industrial Edge Device Kit - x86-64 V1.17 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - x86-64 V1.18 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - x86-64 V1.19 | 0 < * | affected |
| Siemens | Industrial Edge Device Kit - x86-64 V1.20 | 0 < V1.20.2-1 | affected |
| Siemens | Industrial Edge Device Kit - x86-64 V1.21 | 0 < V1.21.1-1 | affected |
| Siemens | Industrial Edge Own Device (IEOD) | 0 < V1.21.1-1-a | affected |
| Siemens | Industrial Edge Virtual Device | 0 < V1.21.1-1-a | affected |
| Siemens | SCALANCE LPE9413 | 0 < V2.1 | affected |
| Siemens | SIMATIC IPC BX-39A Industrial Edge Device | 0 < V3.0 | affected |
| Siemens | SIMATIC IPC BX-59A Industrial Edge Device | 0 < V3.0 | affected |
| Siemens | SIMATIC IPC127E Industrial Edge Device | 0 < V3.0 | affected |
| Siemens | SIMATIC IPC227E Industrial Edge Device | 0 < V3.0 | affected |
| Siemens | SIMATIC IPC427E Industrial Edge Device | 0 < V3.0 | affected |
| Siemens | SIMATIC IPC847E Industrial Edge Device | 0 < V3.0 | affected |
Weaknesses
- CWE-1390: CWE-1390: Weak Authentication
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://cert-portal.siemens.com/productcert/html/ssa-634640.html
- https://cert-portal.siemens.com/productcert/html/ssa-819629.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.