CVE-2024-36398 Siemens CVE debrief

Who should care

Organizations operating Siemens SINEC NMS in industrial control system environments, particularly those with multi-user Windows hosts or shared administrative access. Critical infrastructure operators, manufacturing facilities, and utilities using SINEC NMS for network management should prioritize patching due to the high impact of local privilege escalation in OT environments where lateral movement can have significant operational consequences.

Technical summary

Siemens SINEC NMS, a network management system for industrial environments, executes certain services with NT AUTHORITY SYSTEM privileges. This misconfiguration allows any authenticated local user to leverage these overprivileged services to execute arbitrary operating system commands with elevated privileges. The vulnerability is rated CVSS 3.1 7.8 HIGH with attack vector LOCAL, attack complexity LOW, and privileges required LOW. Impact is rated HIGH for confidentiality, integrity, and availability. Siemens remediated this in version 3.0 by adjusting service privilege levels.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor fix: Update Siemens SINEC NMS to version 3.0 or later
• Restrict local access to SINEC NMS hosts to authorized administrators only
• Monitor for anomalous process execution and privilege escalation attempts on SINEC NMS systems
• Review service account configurations and apply principle of least privilege where possible
• Validate backup and recovery procedures before applying updates to critical OT infrastructure

Evidence notes

CISA published advisory ICSA-24-228-06 on 2024-08-13, confirming Siemens SINEC NMS executes services as NT AUTHORITY SYSTEM. Siemens issued security advisory SSA-784301 with remediation guidance. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high impact.

Official resources