CVE-2024-35211 Siemens CVE debrief

Who should care

Organizations operating Siemens SINEC Traffic Analyzer in industrial network environments, OT security teams managing network monitoring infrastructure, and compliance officers responsible for secure session management controls in critical infrastructure sectors.

Technical summary

The SINEC Traffic Analyzer web server fails to set essential cookie security attributes on session tokens post-authentication. Missing Secure, HttpOnly, and SameSite flags expose sessions to: (1) man-in-the-middle interception when transmitted over unencrypted channels, (2) client-side script access enabling XSS-based token theft, and (3) cross-site request forgery via unintended cross-origin cookie transmission. The CVSS 3.1 score of 5.5 reflects local attack requirements with high confidentiality impact potential.

Defensive priority

medium

Recommended defensive actions

• Apply vendor fix: Update SINEC Traffic Analyzer to version 1.2 or later
• Implement network segmentation to limit exposure of the web management interface
• Enforce HTTPS-only access to the web server to mitigate cookie transmission risks
• Monitor for anomalous session activity and unauthorized access attempts
• Review and apply CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-24-165-13, which references Siemens Security Advisory SSA-196737. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates local attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in high confidentiality impact.

Official resources