PatchSiren cyber security CVE debrief
CVE-2024-22040 Siemens CVE debrief
A buffer overread vulnerability in Siemens fire safety systems allows unauthenticated remote attackers to crash network services via insufficient HMAC validation. The attack requires an on-path position to intercept engineering tool communications, limiting impact to the tool itself rather than the underlying operating system.
- Vendor
- Siemens
- Product
- Cerberus PRO EN Engineering Tool
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-03-12
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-03-12
- Advisory updated
- 2024-05-14
Who should care
Organizations operating Siemens Cerberus PRO UL or Desigo Fire Safety UL fire protection systems, particularly those with remote engineering access or cloud-connected deployments. Critical infrastructure operators in facilities where fire safety system availability is essential for life safety and regulatory compliance.
Technical summary
The network communication library in affected Siemens fire safety systems fails to sufficiently validate HMAC (Hash-based Message Authentication Code) values, resulting in a buffer overread condition. This vulnerability is remotely exploitable without authentication, though successful exploitation requires an on-path attacker capable of intercepting communications between the engineering tool and the fire system network. The attack surface is constrained to the engineering tool process; the underlying operating system is not affected. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) with proof-of-concept exploitability and official vendor fixes available.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor patches: update Cerberus PRO UL and Desigo Fire Safety UL Compact Panels and Engineering Tools to MP4 or later
- Apply vendor patches: update Cerberus PRO UL and Desigo Fire Safety UL X300 Cloud Distribution to V4.3.0001 or later
- Segment fire system networks to limit engineering tool communication exposure
- Monitor for anomalous network traffic targeting fire safety engineering tool communications
- Review CISA ICS recommended practices for industrial control system defense in depth
Evidence notes
CISA ICS advisory ICSA-24-137-12 published 2024-05-14 confirms six affected Siemens products across Cerberus PRO UL and Desigo Fire Safety UL product lines. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with exploitability marked as 'Proof-of-concept' and remediation level 'Official fix'. Vendor fix requires updating to MP4 or later for panel/engineering tools, and V4.3.0001 or later for cloud distribution components.
Official resources
-
CVE-2024-22040 CVE record
CVE.org
-
CVE-2024-22040 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14