CVE-2024-32006 Siemens CVE debrief

Who should care

Organizations using Siemens SINEMA Remote Connect Client for remote industrial network access, particularly those relying on TOTP-based multi-factor authentication. Security teams managing OT/ICS environments, network administrators responsible for remote connectivity solutions, and compliance officers evaluating authentication controls in industrial settings should prioritize this update.

Technical summary

The SINEMA Remote Connect Client fails to invalidate user sessions when the system reboots without an explicit logout action. This session persistence vulnerability could enable MFA bypass scenarios where an attacker with access to a previously authenticated session can resume that session post-reboot without re-authentication. The vulnerability is classified as CWE-613 (Insufficient Session Expiration). The attack requires network access and prior valid credentials, with successful exploitation resulting in authentication bypass. Remediation involves updating to version 3.2 SP2 or later, or implementing certificate-based authentication as an alternative to TOTP MFA.

Defensive priority

medium

Recommended defensive actions

• Apply vendor fix: Update SINEMA Remote Connect Client to version 3.2 SP2 or later
• Consider implementing alternative authentication: Use Smartcard or user certificate-based authentication instead of TOTP-based two-factor authentication
• Implement session monitoring: Review active sessions and enforce explicit logout procedures before system maintenance or reboots
• Apply defense-in-depth practices: Follow CISA ICS recommended practices for industrial control system security
• Review authentication architecture: Evaluate session persistence mechanisms in remote access solutions

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-256-10 and Siemens security advisory SSA-417159. The issue affects SINEMA Remote Connect Client with improper session expiration on reboot.

Official resources