Skip to content

How to find Siemens devices on your network

Latest Siemens vulnerabilities: SCALANCE and RUGGEDCOM products

Siemens has disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

  • CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
  • CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
  • CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
  • CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

What is the impact?

Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

Are updates or workarounds available?

Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 – SIMATIC S7-200 SMART Devices (July 2024)

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.

What was the impact?

Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition.

Are updates or workarounds available?

The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

What was the impact?

Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible. Siemens released updates via a variety of channels. See Siemens ProductCERT for details.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find Windows Remote Desktop Licensing Services on your network

Latest vulnerability: CVE-2024-38077 

Microsoft has disclosed multiple vulnerabilities in their Windows Remote Desktop Licensing Service product.

CVE-2024-38077 is rated critical with CVSS score of 9.8 and allows an attacker to remotely execute code which could lead to complete system compromise.

What is the impact?

A heap overflow flaw could allow an attacker to send a message that would trigger this vulnerability and allow remote code execution. With the right code execution this could lead to a complete system compromise giving the attacker complete control.

Are updates or workarounds available?

Microsoft has released patches to address this vulnerability. Instances should be updated immediately to the latest patched version. Additionally, if this service is not needed, it is advisable to disable it or, at the very least, ensure it is securely firewalled within business networks.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

port:135 AND protocol:epm AND _service.epm.uuids:"3d267954-eeb7-11d1-b94e-00c04fa3080d"

You may also search for associated named pipes:

port:135 AND protocol:epm AND _service.epm.pipes:"HydraLsPipe"

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How runZero speaks to the TwinCAT 3 Automation Device Specification (ADS) Protocol

In the realm of industrial automation, communication protocols play a crucial role in ensuring seamless interaction between various components and systems. One such protocol in the TwinCAT 3 ecosystem is the Automation Device Specification (ADS) protocol. Developed by Beckhoff Automation, ADS is integral to the TwinCAT 3 software suite, facilitating robust and efficient communication between different automation devices.

What is ADS?

The Automation Device Specification (ADS) protocol is a communication protocol designed to enable interaction between TwinCAT 3 automation devices. ADS functions as a gateway for data exchange and command execution between software applications and hardware components. It operates over TCP/IP networks, ensuring reliable and real-time communication. Both TCP and UDP are supported by the protocol as well as a secure version called Secure ADS which uses TLSv1.2 to secure the TCP connection.

The Role of ADS in TwinCAT 3

TwinCAT 3 leverages ADS to connect its various components. Within this environment, ADS facilitates communication between the TwinCAT runtime, PLCs, and HMI systems. By providing a standardized interface for data exchange, ADS simplifies the integration of different elements within the TwinCAT ecosystem. This integration capability is instrumental in developing sophisticated automation solutions that require interaction between multiple devices and software modules.

runZero Speaks ADS

The runZero research team has been working hard to increase the OT protocols available in runZero. We recently added the ADS protocol for passive scanning to identify devices that speak ADS. We have a very good understanding of the OSI model so we have started layering in support for any of these Ethernet-based protocols.

After reviewing the ADS specification we discovered that it operates on TCP port 48898 and UDP port 48899. By adding these ports to our broader global ports list we can start to decode the new traffic and identify the communicating devices. Although we see all of the traffic on those ports, we are only interested in a very specific packet to identify devices. The ADS specification outlines a ReadDeviceInfo command (Figure 1) which would tell us the version, build, and name of the device.

FIGURE 1 – ReadDeviceInfo packet layout courtesy of Beckhoff Automation LLC

If the packet is successfully decoded into this command we can assert that it is a legitimate device since the packet originated on the documented ports above. This gives us a high degree of confidence to continue fingerprinting this device and place it into your asset inventory.

As industrial automation continues to evolve, so too will the ADS protocol. Future developments may include enhancements to support emerging technologies such as IoT and Industry 4.0. There is potential for increased integration with cloud-based systems and advanced analytics, further expanding the capabilities of ADS. Staying abreast of these trends will be essential for us to further improve our fingerprinting capabilities as this protocol makes its way into other domains outside of industrial automation.

Subscribe now to stay up to date on runZero support for discovery of OT protocols.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero Recognized as a Customers’ Choice in 2024 Gartner® Peer Insights™ Report for Cyber Asset Attack Surface Management (CAASM)

runZero Receives the Highest Willingness to Recommend Rating 96%

AUSTIN, TEXAS — July 22, 2024 — runZero has been peer recognized as a 2024 Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Cyber Asset Attack Surface Management (CAASM) market category. Additionally, runZero received the highest willingness to recommend rating of any vendor at 96% based on 29 reviews as of 31st March 2024. The “Voice of the Customer” is a document that synthesizes Gartner Peer Insights’ reviews into insights for IT decision makers. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process, as it focuses on direct peer experiences of implementing and operating a solution.

With 29 Gartner Peer Insights reviews, the most of any vendor included in the report, runZero received ratings from customers at organizations with annual revenues ranging from 50M to 10B+. Their feedback reflects real-world experiences with the runZero Platform across multiple sectors, including some of the world’s largest enterprises. Reviewers consistently rated runZero highly across various aspects: Product Capabilities (4.7/5) based on 29 reviews, Support Experience (4.6/5) based on 26 reviews, Sales Experience (4.7/5) based on 25 reviews, and Deployment Experience (4.6/5) based on 28 reviews. Here is a sampling of the individual reviews:

  • An Excellent Inventory Tool. As we say, you can’t secure what you can’t see, and I needed to know what was out there in a highly distributed environment that has 22 business lines, each with a high degree of disparity in their technology needs. From cameras, drones, ICS, SCADA, radios, non-traditional IoT devices, and traditional IT infrastructure. We’ve matured significantly in our asset inventory and event response because of this partnership and I think I’d have a mutiny on my hands if I ever took it away!” – IT Security and Risk Management in Government

  • runZero is a great product for asset management. One of the most standout features of runZero is its asset discovery capabilities. It’s really easy to deploy and it has a great accuracy during the scans. Also the speed of the scans are great, giving us the possibility to get results really fast and also accurate. Also its ability to map entire networks without any credentials is a great features. The product is really user friendly and has great ability to be used with APIs.” – Data Scientist in Software

Many CAASM solutions in the market rely heavily on integrations to inventory assets, leading to incomplete visibility into unknown and unmanaged assets, while others focus solely on IT devices, lacking coverage for OT and IoT assets. The runZero Platform combines powerful proprietary active scanning and native passive discovery with integrations to overcome these limitations, providing a comprehensive, unified solution that delivers complete visibility and accurate, in-depth fingerprinting for all IT, OT, and IoT devices across on-prem, cloud, and remote environments. runZero does not require credentials, agents, or appliances, enabling the platform to start delivering insights into complex environments in just minutes.

“Our approach at runZero sets us apart from traditional CAASM companies. We’re honored to have the market validate the unique path we’ve taken and to be recognized as a Customers’ Choice in our category,” said HD Moore, founder and CEO at runZero. “We are passionate about improving visibility and exposure management for security teams, as well as streamlining their operations and accelerating response times. It’s rewarding to see the success they are having and we appreciate their willingness to share their experience and recommend runZero to their peers.”

Disclaimer: Gartner® and Peer Insights are trademarks of Gartner, Inc. and/or its affiliates. All rights reserved. Gartner® Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Additional resources

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find VMware/Broadcom ESXi installs on your network

Latest Broadcom ESXi vulnerabilities 

Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.

CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.

What is the impact?

A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD. The three ways this can be exploited are:

1. Creating the AD group ‘ESX Admins’ to the domain and adding a user to it (known to be exploited in the wild)

2. Renaming another AD group in the domain to ‘ESX Admins’ and adding a new or existing user to it

3. Refreshing the privileges in the ESXi hypervisor when the ‘ESX Admin’ group is unassigned as the management group.

Are updates or workarounds available?

Product

Version

Fixed Version

Workarounds

ESXi

8.0

ESXi80U3-24022510

KB369707

ESXi

7.0

No Patch Planned

KB369707

VMware Cloud Foundation

5.x

5.2

KB369707

VMware Cloud Foundation

4.x

No Patch Planned

KB369707

 

How to find potentially vulnerable systems runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:ESXi

Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:

source:vmware or source:broadcom

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×