CVE-2023-26495 Siemens CVE debrief

Who should care

Organizations operating Siemens COMOS in engineering, plant design, or industrial automation environments. Asset owners in critical infrastructure sectors using COMOS for process control system design and documentation. Security teams responsible for OT/ICS software supply chain risk management.

Technical summary

The vulnerability exists in the Open Design Alliance Drawings SDK versions prior to 2024.1, which is integrated into Siemens COMOS. A use-after-free condition can be triggered during DWG file parsing, potentially leading to memory corruption. Successful exploitation requires user interaction to open a malicious file, but could result in arbitrary code execution when combined with additional vulnerabilities. The attack vector is local, requiring user interaction, with low attack complexity and no privileges required.

Defensive priority

HIGH

Recommended defensive actions

• Update Siemens COMOS to V10.5 or later to address the underlying Open Design Alliance Drawings SDK vulnerability
• Ensure all DWG files imported into COMOS originate from trusted sources and are transmitted over secure channels
• Implement application whitelisting and least-privilege execution for COMOS installations
• Monitor for suspicious DWG file handling or unexpected COMOS process behavior
• Review and apply CISA ICS recommended practices for defense-in-depth security controls

Evidence notes

The vulnerability resides in the Open Design Alliance Drawings SDK, a third-party component used by Siemens COMOS for DWG file processing. The use-after-free condition occurs during parsing of maliciously crafted DWG files. The ZDI-CAN-19162 and ZDI-CAN-19432 identifiers indicate this was reported through the Zero Day Initiative. CISA published advisory ICSA-24-228-08 on August 13, 2024, coordinating disclosure with Siemens.

Official resources