PatchSiren cyber security CVE debrief

CVE-2024-49704 Siemens CVE debrief

## Summary CVE-2024-49704 is a medium-severity XML External Entity (XXE) vulnerability affecting Siemens COMOS V10.3 and multiple V10.4.x versions. The flaw resides in the Generic Data Mapper, Engineering Adapter, and Engineering Interface components, which improperly handle XXE entries when parsing configuration and mapping files. An attacker could exploit this by persuading a user to open a maliciously crafted file, potentially extracting arbitrary files from the user's system or accessible network locations. ## Affected Products - COMOS V10.3 (patch available) - COMOS V10.4.0, V10.4.1, V10.4.2 (no fix planned) - COMOS V10.4.3 (patch available) - COMOS V10.4.4 (update to V10.4.4.2 or later) - COMOS V10.4.4.1 (update to V10.4.4.1.21 or later) ## Technical Details The vulnerability stems from improper XML parsing that allows external entity resolution. When a user opens a malicious configuration or mapping file in any of the three affected components, the XXE payload can trigger file disclosure from known paths on the local system or network shares. This represents a local attack vector requiring user interaction. ## Remediation Status Siemens has provided patches for most affected versions, though V10.4.0 through V10.4.2 have no planned fixes. Users on these versions should apply the documented mitigations. Patches for V10.3 and V10.4.3 are available upon request from Siemens customer support, while V10.4.4.x updates can be obtained through standard support channels. ## Recommended Actions 1. Apply vendor patches where available for supported versions 2. For versions without fixes, strictly control access to configuration and mapping files 3. Implement file integrity monitoring for critical configuration directories 4. Train users to avoid opening untrusted files from external sources 5. Apply principle of least privilege to file system and network share access