Siemens COMOS, SALT SDK, and Other Products Missing Server Certificate Validation in TLS Connections

A vulnerability exists in Siemens COMOS V10.6, the SALT SDK, and several other products, all of which lack proper server certificate validation when establishing TLS connections to authorization servers. This flaw could enable an attacker to execute a man-in-the-middle attack. Affected products include COMOS V10.6, JT Bi-Directional Translator for STEP, NX V2412 and V2506, Simcenter 3D and Femap, Simcenter Studio, Simcenter System Architect, and Tecnomatix Plant Simulation versions prior to V2504.0007.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and manipulation of data exchanged over TLS, allowing for potential man-in-the-middle attacks.

Remediation

Users of COMOS V10.6, JT Bi-Directional Translator for STEP, Simcenter Studio, and Simcenter System Architect should await further updates from Siemens, as no fixes are currently available. For NX V2412, NX V2506, Simcenter 3D, and Simcenter Femap, users should update to the latest versions. Instructions for downloading these updates are available on the Siemens Support website.