Auma: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver

Improper buffer restrictions in the webserver used in SIMA² Master Station software versions < V 2.6 may allow an unauthenticated network-based attacker to stop the cyclic program on the device and cause a denial of service.

The webserver component of the automation runtime used implements insufficient checks on handling file uploads. This implementation could result in a memory violation, which in turn affects the stability of automation runtime.
An attacker could leverage this vulnerability to potentially cause a denial of service of the device.

AUMA recommends the following specific workarounds and mitigations: The access to the SIMA² should be restricted to legitimate network partners, using e.g. a sufficient firewall setup and robust network segmentation. In general, AUMA recommends implementing the Product Security Guideline for uses on Cybersecurity for the SIMA² Master Station.

The described vulnerabilities have been fixed in the product versions with software version V 2.6 or higher. SIMA² Master Stations with software versions < V 2.6 can be upgraded. AUMA recommends applying a product update at the earliest convenience