Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Siemens User Management Component um.atbipc.dll Heap-based Buffer Overflow

Critical

Synopsis

A heap-based buffer overflow vulnerability exists in um.abtipc.dll in Siemens User Management Component (UMC). This vulnerability can result in remote code execution if successfully exploited.

Solution

See vendor advisory for product-specific mitigations

Disclosure Timeline

October 7, 2024 - Tenable discloses to Siemens. Siemens acknowledges.
November 4, 2024 - Tenable requests status update.
November 5, 2024 - Siemens provides status update. Tentative release for December 12. Tenable acknowledges.
December 4, 2024 - Siemens requests deadline extension based on difficulties in testing the patch. Tenable agrees and suggests new deadline.
December 5, 2024 - New deadline of January 6, 2025 set.
December 16, 2024 - Siemens notifies Tenable that patch is set to be released today unexpectedly. Tenable requests information for their advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email bughunters@tenable.com

Risk Information

CVE ID: CVE-2024-49775
Tenable Advisory ID: TRA-2024-49
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
Opcenter Execution Foundation - All versions
Opcenter Intelligence - All versions
Opcenter Quality - All versions
Opcenter RDL - All versions
SIMATIC PCS neo - see vendor advisory for details
SINEC NMS - All versions if operated in conjunction with UMC < V2.15
Totally Integrated Automation Portal (TIA Portal) - see vendor advisory for details
Risk Factor:
Critical

Advisory Timeline

December 17, 2024 - Initial release.