CVE-2024-44102

A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 8 to 32 V3.1 (6NH9910-0AA31-0AB1) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0) (All versions < V3.1.2.1 with redundancy configured). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-454789.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:telecontrol_server_basic:*:*:*:*:*:*:*:*

History

13 Nov 2024, 23:05

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en PP TeleControl Server Basic 1000 a 5000 V3.1 (6NH9910-0AA31-0AE1) (Todas las versiones < V3.1.2.1 con redundancia configurada), PP TeleControl Server Basic 256 a 1000 V3.1 (6NH9910-0AA31-0AD1) (Todas las versiones < V3.1.2.1 con redundancia configurada), PP TeleControl Server Basic 32 a 64 V3.1 (6NH9910-0AA31-0AF1) (Todas las versiones < V3.1.2.1 con redundancia configurada), PP TeleControl Server Basic 64 a 256 V3.1 (6NH9910-0AA31-0AC1) (Todas las versiones < V3.1.2.1 con redundancia configurada), PP TeleControl Server Basic 8 a 32 V3.1 (6NH9910-0AA31-0AB1) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1) (Todas las versiones < V3.1.2.1 con redundancia configurada), TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0) (Todas las versiones < V3.1.2.1 con redundancia configurada). El sistema afectado permite a los usuarios remotos enviar objetos manipulados con fines malintencionados. Debido a la deserialización insegura del contenido proporcionado por el usuario por parte del software afectado, un atacante no autenticado podría aprovechar esta vulnerabilidad enviando un objeto serializado manipulado con fines malintencionados. Esto podría permitir al atacante ejecutar código arbitrario en el dispositivo con privilegios de SYSTEM.
CPE		cpe:2.3:a:siemens:telecontrol_server_basic::::::::
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-454789.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-454789.html - Patch, Vendor Advisory
First Time		Siemens Siemens telecontrol Server Basic

12 Nov 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-12 13:15

Updated : 2024-11-13 23:05

NVD link : CVE-2024-44102

Mitre link : CVE-2024-44102

CVE.ORG link : CVE-2024-44102

JSON object : View

Products Affected

siemens

telecontrol_server_basic

CWE

CWE-502

Deserialization of Untrusted Data

10.0 /10