CVE-2024-22039

Description

A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x IP6 (All versions < IP6 SR3), Cerberus PRO EN Fire Panel FC72x IP7 (All versions < IP7 SR5), Cerberus PRO EN X200 Cloud Distribution IP7 (All versions < V3.0.6602), Cerberus PRO EN X200 Cloud Distribution IP8 (All versions < V4.0.5016), Cerberus PRO EN X300 Cloud Distribution IP7 (All versions < V3.2.6601), Cerberus PRO EN X300 Cloud Distribution IP8 (All versions < V4.2.5015), Cerberus PRO UL Compact Panel FC922/924 (All versions < MP4), Cerberus PRO UL Engineering Tool (All versions < MP4), Cerberus PRO UL X300 Cloud Distribution (All versions < V4.3.0001), Desigo Fire Safety UL Compact Panel FC2025/2050 (All versions < MP4), Desigo Fire Safety UL Engineering Tool (All versions < MP4), Desigo Fire Safety UL X300 Cloud Distribution (All versions < V4.3.0001), Sinteso FS20 EN Engineering Tool (All versions < MP8), Sinteso FS20 EN Fire Panel FC20 MP6 (All versions < MP6 SR3), Sinteso FS20 EN Fire Panel FC20 MP7 (All versions < MP7 SR5), Sinteso FS20 EN X200 Cloud Distribution MP7 (All versions < V3.0.6602), Sinteso FS20 EN X200 Cloud Distribution MP8 (All versions < V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution MP7 (All versions < V3.2.6601), Sinteso FS20 EN X300 Cloud Distribution MP8 (All versions < V4.2.5015), Sinteso Mobile (All versions < V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.

References

Link	Tags
https://cert-portal.siemens.com/productcert/html/ssa-225840.html	patch vendor advisory
https://cert-portal.siemens.com/productcert/html/ssa-953710.html

Frequently Asked Questions

What is the severity of CVE-2024-22039?: CVE-2024-22039 has been scored as a critical severity vulnerability.
How to fix CVE-2024-22039?: To fix CVE-2024-22039, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-22039 being actively exploited in the wild?: It is possible that CVE-2024-22039 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~7% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-22039?: CVE-2024-22039 affects Siemens Cerberus PRO EN Engineering Tool, Siemens Cerberus PRO EN Fire Panel FC72x IP6, Siemens Cerberus PRO EN Fire Panel FC72x IP7, Siemens Cerberus PRO EN X200 Cloud Distribution IP7, Siemens Cerberus PRO EN X200 Cloud Distribution IP8, Siemens Cerberus PRO EN X300 Cloud Distribution IP7, Siemens Cerberus PRO EN X300 Cloud Distribution IP8, Siemens Cerberus PRO UL Compact Panel FC922/924, Siemens Cerberus PRO UL Engineering Tool, Siemens Cerberus PRO UL X300 Cloud Distribution, Siemens Desigo Fire Safety UL Compact Panel FC2025/2050, Siemens Desigo Fire Safety UL Engineering Tool, Siemens Desigo Fire Safety UL X300 Cloud Distribution, Siemens Sinteso FS20 EN Engineering Tool, Siemens Sinteso FS20 EN Fire Panel FC20 MP6, Siemens Sinteso FS20 EN Fire Panel FC20 MP7, Siemens Sinteso FS20 EN X200 Cloud Distribution MP7, Siemens Sinteso FS20 EN X200 Cloud Distribution MP8, Siemens Sinteso FS20 EN X300 Cloud Distribution MP7, Siemens Sinteso FS20 EN X300 Cloud Distribution MP8, Siemens Sinteso Mobile.

Description

Category

CWE-120 – Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

References

Frequently Asked Questions