Ameeba Blog Logo
Ameeba Chat App store presentation
Download Ameeba Chat Today
Ameeba Blog Search

CVE-2024-54678: Local Arbitrary Code Execution Vulnerability in SIMATIC and SIRIUS Products

Ameeba’s Mission: Safeguarding privacy by securing data and communication with our patented anonymization technology.

Overview

The discovery of the CVE-2024-54678 vulnerability has raised concerns among organizations and users running a wide range of SIMATIC and SIRIUS products. This vulnerability, which could potentially allow local authenticated attackers to run arbitrary code within the affected application, poses a high risk due to its impact on system integrity. The issue arises from the improper sanitization of Interprocess Communication (IPC) input received through a Windows Named Pipe. As a result, organizations face threats of system compromise and data leakage, emphasizing the critical need for immediate mitigation.

Vulnerability Summary

CVE ID: CVE-2024-54678
Severity: High (8.2 CVSS v3)
Attack Vector: Local
Privileges Required: Low
User Interaction: Required
Impact: System compromise, data leakage

Affected Products

Ameeba Chat Icon Escape the Surveillance Era

Most apps won’t tell you the truth.
They’re part of the problem.

Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.

Ameeba Chat gives you a way out.

  • • No phone number
  • • No email
  • • No personal info
  • • Anonymous aliases
  • • End-to-end encrypted

Chat without a trace.

Product | Affected Versions

SIMATIC PCS neo | V4.1 – V6.0 (All versions)
SIMATIC STEP 7 | V17 – V20 (All versions < V19 Update 4) SIMATIC WinCC | V17 - V20 (All versions < V19 Update 4) SIMOCODE ES | V17 - V20 (All versions) SINAMICS Startdrive | V17 - V20 (All versions) SIRIUS Safety ES (TIA Portal) | V17 - V20 (All versions) SIRIUS Soft Starter ES (TIA Portal) | V17 - V20 (All versions) TIA Portal Cloud | V17 - V20 (All versions < V5.2.1.1) TIA Portal Test Suite | V20 (All versions) How the Exploit Works

The vulnerability arises from the affected products’ failure to properly sanitize Interprocess Communication (IPC) input received through a Windows Named Pipe, which is accessible to all local users. This lack of sanitization can lead to type confusion, allowing an authenticated local attacker to exploit this vulnerability and execute arbitrary code within the context of the affected application.

Conceptual Example Code

While the specific exploit details are not disclosed to avoid misuse, a conceptual example of the exploit would look like this:

# Connect to the named pipe
$ handle = ConnectNamedPipe("\\\\.\\pipe\\vulnerable_pipe", PIPE_ACCESS_DUPLEX)
# Send malicious payload
$ result = WriteFile(handle, "{ 'type': 'Any', 'value': 'Malicious payload' }")
# Execute the payload
$ result = ReadFile(handle, buffer, nBytesToRead, &nBytesRead, NULL)

This pseudocode demonstrates how an attacker could use the `ConnectNamedPipe` function to connect to a vulnerable named pipe, then use the `WriteFile` function to write a malicious payload to the pipe. The payload’s execution could then be triggered with the `ReadFile` function.

Talk freely. Stay anonymous with Ameeba Chat.

Disclaimer:

The information and code presented in this article are provided for educational and defensive cybersecurity purposes only. Any conceptual or pseudocode examples are simplified representations intended to raise awareness and promote secure development and system configuration practices.

Do not use this information to attempt unauthorized access or exploit vulnerabilities on systems that you do not own or have explicit permission to test.

Ameeba and its authors do not endorse or condone malicious behavior and are not responsible for misuse of the content. Always follow ethical hacking guidelines, responsible disclosure practices, and local laws.

More posts

Ameeba Chat