PatchSiren cyber security CVE debrief
CVE-2023-46120 Siemens CVE debrief
CVE-2023-46120 is a medium-severity vulnerability in the RabbitMQ Java client library affecting Siemens SINEC NMS. The vulnerability stems from improper enforcement of the `maxBodyLength` parameter when receiving Message objects, allowing attackers to send oversized messages that trigger memory exhaustion and Out-of-Memory (OOM) errors on consumer systems. This creates a denial-of-service condition through memory exhaustion. The vulnerability was patched in RabbitMQ Java client version 5.18.0. Siemens has addressed this in SINEC NMS through updates to version 3.0 or later. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C) indicates network attack vector with low complexity, requiring high privileges, with high availability impact. The vulnerability was published on August 13, 2024, and is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- SINEC NMS
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Organizations operating Siemens SINEC NMS for industrial network management, developers using RabbitMQ Java client libraries in JVM-based applications, security teams managing message broker infrastructure, and OT/ICS security practitioners responsible for availability of critical industrial systems.
Technical summary
The RabbitMQ Java client library fails to apply the `maxBodyLength` configuration parameter when receiving Message objects. This allows malicious actors to transmit arbitrarily large messages that consume excessive memory on consumer systems, resulting in Out-of-Memory errors and denial-of-service conditions. The vulnerability is exploitable over the network with low complexity but requires high privileges. The fix was implemented in RabbitMQ Java client version 5.18.0, which has been integrated into SINEC NMS version 3.0 and later.
Defensive priority
medium
Recommended defensive actions
- Update Siemens SINEC NMS to version 3.0 or later to incorporate the patched RabbitMQ Java client library (version 5.18.0)
- Review and validate message size limits in RabbitMQ Java client configurations
- Monitor consumer systems for abnormal memory consumption patterns
- Apply defense-in-depth practices for industrial control systems per CISA guidance
- Verify RabbitMQ Java client library versions in dependent applications and upgrade to 5.18.0 or later
Evidence notes
Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-24-228-06 and Siemens security advisory SSA-784301. CVSS score and vector from source material. Patch version 5.18.0 explicitly stated in source description.
Official resources
-
CVE-2023-46120 CVE record
CVE.org
-
CVE-2023-46120 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-13