PatchSiren cyber security CVE debrief

CVE-2024-30207 Siemens CVE debrief

CVE-2024-30207 is a critical vulnerability in Siemens SIMATIC RTLS Locating Manager products, published on 2024-05-14 and last modified on 2024-06-11. The affected systems use symmetric cryptography with a hard-coded key to protect client-server communication, which could allow an unauthenticated remote attacker to compromise confidentiality, integrity, and subsequently availability of the system. Successful exploitation requires the attacker to obtain knowledge of the hard-coded key and intercept network communication between client and server. The vulnerability affects seven product variants including 6GT2780-0DA00, 6GT2780-0DA10, 6GT2780-0DA20, 6GT2780-0DA30, 6GT2780-1EA10, 6GT2780-1EA20, and 6GT2780-1EA30. Siemens has released a vendor fix in version V3.0.1.1 or later, available through Siemens Online Software Delivery (OSD).

Vendor: Siemens
Product: SIMATIC RTLS Locating Manager (6GT2780-0DA00)
CVSS: CRITICAL 10
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-05-14
Original CVE updated: 2024-06-11
Advisory published: 2024-05-14
Advisory updated: 2024-06-11

Who should care

Organizations operating Siemens SIMATIC RTLS Locating Manager systems for real-time locating services in industrial environments, particularly those with network-exposed deployments or multi-site installations where client-server traffic traverses untrusted networks. Security teams responsible for industrial control system (ICS) security, OT network segmentation, and cryptographic implementation reviews should prioritize assessment and remediation.

Technical summary

The vulnerability stems from the use of symmetric cryptography with a hard-coded key for protecting client-server communication in Siemens SIMATIC RTLS Locating Manager products. Because the cryptographic key is embedded in the software rather than being configurable or randomly generated per deployment, an attacker who obtains knowledge of this key through reverse engineering or other means can decrypt intercepted communications and potentially inject malicious traffic. The attack requires network-level access to intercept client-server communication but does not require authentication or user interaction. The scope change in the CVSS vector (S:C) indicates that a vulnerable component can impact resources beyond its security scope. The vulnerability was assigned CVSS 10.0 (Critical) based on network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

Update affected Siemens SIMATIC RTLS Locating Manager installations to version V3.0.1.1 or later through Siemens Online Software Delivery (OSD)
Protect all communication between RTLS Clients and the Server using a secure channel such as an appropriate VPN solution, ensuring configured Server ports are exclusively reachable via the VPN as described in the product
Install required RTLS Locating Manager components on a single host computer where possible and ensure only trusted persons have access to the system
Secure the Windows Server hosting RTLS Locating Manager with a firewall and ensure no ports are accessible from untrusted networks
Apply security hardening of the Windows Server hosting RTLS Locating Manager in accordance with corporate security policies or up-to-date hardening guidelines

Evidence notes

The vulnerability description and remediation guidance are sourced from CISA CSAF advisory ICSA-24-137-07, which references Siemens Security Advisory SSA-093430. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C) indicates network attack vector with low attack complexity, no privileges required, no user interaction, and changed scope with high impact on confidentiality, integrity, and availability. The advisory was updated on 2024-06-11 to add specific mitigation for CVE-2024-30207.

Official resources

2024-05-14