1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEMA Remote Connect Client
- Vulnerabilities: Integer Overflow or Wraparound, Unprotected Alternate Channel, Improper Restriction of Communication Channel to Intended Endpoints, Stack-based Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Missing Release of Resource after Effective Lifetime
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to overflow memory buffers, impersonate a legitimate user, maintain longer session times, gain elevated privileges, and execute code remotely. The implications of these vulnerabilities are significant, particularly in sectors reliant on the SINEMA Remote Connect Client for secure remote access to industrial control systems.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- Siemens SINEMA Remote Connect Client: All versions below V3.2 SP3
3.2 VULNERABILITY OVERVIEW
3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190
The tap-windows6 driver version 9.26 and earlier does not properly check the size data of incoming write operations, which an attacker can exploit to overflow memory buffers. This vulnerability can lead to a bug check and potentially arbitrary code execution in kernel space. The assigned CVE-2024-1305 has a CVSS v3 base score of 9.8 and a CVSS v4 score of 9.3, indicating a critical risk level.
3.2.2 UNPROTECTED ALTERNATE CHANNEL CWE-420
If an attacker with SeImpersonatePrivilege creates a named pipe server with a name matching that used by the “Interactive Service,” user interfaces such as OpenVPN-GUI could allow the attacker to impersonate the user running the UI. This vulnerability is identified as CVE-2024-4877, with a CVSS v3 base score of 4.9 and a CVSS v4 score of 6.9.
3.2.3 IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS CWE-923
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, enabling a remote attacker to interact with the privileged OpenVPN interactive service. This vulnerability is documented as CVE-2024-24974, with a CVSS v3 base score of 7.5 and a CVSS v4 score of 8.7.
3.2.4 STACK-BASED BUFFER OVERFLOW CWE-121
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data that causes a stack overflow, which can be exploited to execute arbitrary code with elevated privileges. This vulnerability is assigned CVE-2024-27459, with a CVSS v3 base score of 7.8 and a CVSS v4 score of 8.5.
3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, allowing an attacker to load an arbitrary plug-in that can interact with the privileged OpenVPN interactive service. This vulnerability is identified as CVE-2024-27903, with a CVSS v3 base score of 9.8 and a CVSS v4 score of 9.3.
3.2.6 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772
OpenVPN from versions 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients, which can extend the validity of a closing session. This vulnerability is documented as CVE-2024-28882, with a CVSS v3 base score of 6.5 and a CVSS v4 score of 7.1.
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified specific workarounds and mitigations users can apply to reduce risk:
- SINEMA Remote Connect Client: Update to V3.2 SP3 or later version.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens advises configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the




