Buffer Overread Vulnerability in Cerberus PRO and Desigo Fire Safety Products
CVE-2024-22040

7.5HIGH

Key Information:

Vendor: Siemens
Status: Cerberus Pro En Engineering Tool; Cerberus Pro En Fire Panel Fc72x Ip6; Cerberus Pro En Fire Panel Fc72x Ip7; Cerberus Pro En Fire Panel Fc72x Ip8
Vendor: CVE Published:; 12 March 2024

What is CVE-2024-22040?

A buffer overread vulnerability has been discovered within the network communication library of various Siemens products, including the Cerberus PRO and Desigo Fire Safety series. The flaw arises from insufficient validation of HMAC values, which can be exploited by unauthenticated remote attackers. By triggering this vulnerability, an attacker could potentially crash the network service, leading to significant operational disruptions. All versions of the affected products must be reviewed and updated to mitigate this risk.

Affected Version(s)

Cerberus PRO EN Engineering Tool 0

Cerberus PRO EN Fire Panel FC72x IP6 0

Cerberus PRO EN Fire Panel FC72x IP7 0

References

https://cert-portal.siemens.com/productcert/html/ssa-2258...

https://cert-portal.siemens.com/productcert/html/ssa-9537...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Jan 4, 2024