Open Redirect in Login Page in SIEMENS-SINEMA Remote Connect

Title

Open Redirect in Login Page

Product

SIEMENS-SINEMA Remote Connect

Vulnerable Version

V1.0 SP3 HF1

Fixed Version

V2.0 has been out since April, 2019

CVE Number

CVE-2022-23102

Impact

low

Found

18.11.2021

By

A. Ovsyannikova (SEQ LLC - Partner Moscow)

An attacker can abuse an open redirect vulnerability during the login procedure in SIEMENS SINEMA Remote Connect products. It is possible to lure a user to another (malicious) web-site and e.g. perform phishing attacks.

Vendor description

"Siemens is a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers. By combining the real and the digital worlds, we empower our customers to transform their industries and markets, helping them to transform the everyday for billions of people."

Source: www.siemens.com


Business recommendation

The vendor provides a patched version for the affected product since April 2019, but the security notes have been published now.

An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.


Vulnerability overview/description

1) Open Redirect in Login Page (CVE-2022-23102)

An open redirect vulnerability can be triggered by luring a user to authenticate to a SIEMENS-SINEMA Remote Connect device by clicking on a crafted link. By abusing this vulnerability, an attacker could steal logon credentials with a specially crafted phishing page or exploit browser vulnerabilities.


Proof of concept

1) Open Redirect in Login Page  (CVE-2022-23102)

After a successful login of the victim, the user will be redirected to www.sec-consult.com when the following link is being clicked:

https: //$IP/wbm/login/?next=https://www.sec-consult.com


Vulnerable / tested versions

The following version has been tested and found to be vulnerable:

  • SIEMENS-SINEMA Remote Connect Client V1.0 SP3 HF1 


Vendor contact timeline

2021-12-13 Contacting CERT through cert@siemens.com and requested support for the disclosure process.
2021-12-15 Siemens opened case #32494 to track this issue.
2022-01-12 Security contact informed us, that some vulnerabilities were fixed by the vendor back in 2019 but they will issue a CVE and an advisory for 8th Feb 2022.
2022-01-18 Siemens has reserved the CVE number CVE-2022-23102.
2022-02-08 Release of Siemens advisory CVE-2022-23102.
2022-02-09 Release of security advisory.

Solution

The vendor provides a patched version V2.0 for the affected product since April 2019, but the security notes have been published now at:

cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf


Workaround

None


Advisory URL

sec-consult.com/vulnerability-lab/

 

EOF A. Ovsyannikova (SEQ LLC - Partner Moscow) / @2022

Interested in working with the experts of SEC Consult? Send us your application.

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.