1. EXECUTIVE SUMMARY
    CVSS v3 8.0
    ATTENTION: Exploitable from an adjacent network with low attack complexity
    Vendor: Siemens
    Equipment: SIMATIC PCS neo
    Vulnerabilities: Missing Authentication for Critical Function, SQL Injection, Permissive Cross-domain Policy with Untrusted Domains, Cross-site Scripting
  2. RISK EVALUATION
    Successful exploitation of these vulnerabilities could enable an unauthenticated attacker from an adjacent network to generate privileged access, upload additional documents, execute SQL commands, manipulate legitimate user behavior, and inject JavaScript code, later executed by another legitimate user.
  3. TECHNICAL DETAILS
    3.1 AFFECTED PRODUCTS
    The following Siemens products are affected:

SIMATIC PCS neo: Versions before V4.1
3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
Affected products’ PUD Manager fails to authenticate users properly within its web service. This allows an unauthenticated attacker from an adjacent network to generate a privileged token and upload additional documents.
CVE-2023-46096 has been assigned to this vulnerability with a CVSS v3 base score of 6.5.

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
The PUD Manager of affected products doesn’t adequately neutralize user-provided inputs, enabling an authenticated attacker from an adjacent network to execute SQL commands in the underlying database.
CVE-2023-46097 has been assigned to this vulnerability with a CVSS v3 base score of 6.3.

3.2.3 PERMISSIVE CROSS-DOMAIN POLICY WITH UNTRUSTED DOMAINS CWE-942
Accessing the Information Server from affected products involves an overly permissive CORS policy, allowing attackers to manipulate legitimate user actions.
CVE-2023-46098 has been assigned to this vulnerability with a CVSS v3 base score of 8.0.

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The Administration Console of the affected product contains a stored cross-site scripting vulnerability, enabling an attacker with high privileges to inject JavaScript code executed by another legitimate user.
CVE-2023-46099 has been assigned to this vulnerability with a CVSS v3 base score of 5.4.

3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Michael Messner from Siemens Energy reported these vulnerabilities to Siemens.

  1. MITIGATIONS
    Siemens has released an updated version for SIMATIC PCS neo, recommending an update to V4.1 or later versions. Additionally, it’s advised to protect network access with appropriate mechanisms and configure the environment according to Siemens’ operational guidelines for industrial security.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-06