CVE-2023-5870 Siemens CVE debrief

Who should care

Organizations running Siemens SINEC NMS with embedded PostgreSQL databases, industrial control system operators, database administrators managing PostgreSQL instances with non-core extensions, and security teams responsible for OT/ICS environments should prioritize this vulnerability for patching and privilege review.

Technical summary

The vulnerability exists in PostgreSQL's pg_cancel_backend functionality, which allows signaling of background workers. The logical replication launcher, autovacuum workers, and autovacuum launcher are among the affected components. Exploitation requires a non-core extension with a less-resilient background worker, limiting impact to that specific worker. The attack vector is network-based with high complexity and requires high privileges, resulting in availability impact only. Siemens has addressed this in SINEC NMS version 3.0 and later.

Defensive priority

medium

Recommended defensive actions

• Update Siemens SINEC NMS to version 3.0 or later per vendor guidance
• Review and restrict database user privileges to minimize exposure to high-privileged accounts
• Monitor PostgreSQL background worker processes for unexpected termination
• Assess installed PostgreSQL extensions for resilience against cancellation signals
• Apply defense-in-depth practices for industrial control systems as recommended by CISA

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-24-228-06 published August 13, 2024. Siemens is identified as the affected vendor with SINEC NMS as the affected product. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high availability impact.

Official resources