ID

VAR-202409-0113


CVE

CVE-2024-6119


TITLE

Multiple vulnerabilities in Siemens SINEC OS third-party components

Trust: 0.6

sources: CNVD: CNVD-2025-19346

DESCRIPTION

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. ========================================================================== Ubuntu Security Notice USN-6986-1 September 03, 2024 openssl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: OpenSSL could be made to crash or expose sensitive information if it received a specially crafted certificate. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libssl3t64 3.0.13-0ubuntu3.4 openssl 3.0.13-0ubuntu3.4 Ubuntu 22.04 LTS libssl3 3.0.2-0ubuntu1.18 openssl 3.0.2-0ubuntu1.18 After a standard system update you need to reboot your computer to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5764-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 03, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2024-6119 David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service. Additional details can be found in the upstream advisory: https://openssl-library.org/news/secadv/20240903.txt For the stable distribution (bookworm), this problem has been fixed in version 3.0.14-1~deb12u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbXW1pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RXThAAjRoSSUyNd4LR8nETi9XB31OkPVx0KrvU2hfIRnPUHHb3hOoi8vEKxdqh gd1pHtEKUBB3TBkXnyMuQ1p79+wuIjvV6Jr7uEPK0w2GdvC0KaF4+cohRDB7Xpjk +AjVFprvljePzgR9BcX1LWX/Bj6k7j8Jit4hkSDxeWn2W4NvCk9+1FMaHPa1PCmX Axo83qzlJg/SMcI5s19No3TzY9z9RdXH622J6hZk/DUZi6YMSryxCoAuU7ur/Ol8 zGH8RG9THiC4hcnAnNjOrqAJqlLzoLgFxykwrvYGwWk//fsQsCeR2HXNQJiPBKq0 QyoXP0WFgIbjnQlRfJI2gxwr5KWn77sNnc2vGZ8HXScj+pKOxrdHyp6a3kaZ99AN DCU5UAo36wSUhZyX9I8nNxjZmb2w5fbeFnHkI2xx2onoLeUjv4hzipS4VS0OP5Th qXhXGjLng4L0bIc5Ad/LuC4T/PnXuwfDgMnAQHHM0zjQcDih/TaTfXn1v+j67FIV BxiqD5EI07ms/jysbmpydB4z2Fwl0D09goEtbO2m2ZE+BU4o8dQIk6UB7KiKTBcy VS3uTR7ZG9AbomfHceh9/3ycI0FMTXUXlifU9v3Btuwpb3DnjCwJKaoAEQNrfuV1 OjqV29oZd2ye2bwAC2uveAnS0wxe+26Gsr+PhmdUFSGSAPeULt4= =KHr5 -----END PGP SIGNATURE----- . Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: edk2 security update Advisory ID: RHSA-2024:8935-03 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2024:8935 Issue date: 2024-11-06 Revision: 03 CVE Names: CVE-2024-6119 ==================================================================== Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es): * openssl: Possible denial of service in X.509 name checks (CVE-2024-6119) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2024-6119 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2306158

Trust: 1.8

sources: NVD: CVE-2024-6119 // CNVD: CNVD-2025-19346 // PACKETSTORM: 181321 // PACKETSTORM: 181323 // PACKETSTORM: 181646 // PACKETSTORM: 182524

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-19346

AFFECTED PRODUCTS

vendor:netappmodel:ontap 9scope:eqversion: -

Trust: 1.0

vendor:netappmodel:active iq unified managerscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h300sscope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:3.0.0

Trust: 1.0

vendor:netappmodel:management services for element software and netapp hciscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h410cscope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:3.3.2

Trust: 1.0

vendor:netappmodel:h700sscope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:3.2.3

Trust: 1.0

vendor:netappmodel:h500sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h615cscope:eqversion: -

Trust: 1.0

vendor:netappmodel:brocade fabric operating systemscope:eqversion: -

Trust: 1.0

vendor:netappmodel:ontap select deploy administration utilityscope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:3.1.0

Trust: 1.0

vendor:netappmodel:h610sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:bootstrap osscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h610cscope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:3.3.0

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:3.0.15

Trust: 1.0

vendor:netappmodel:h410sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:ontap toolsscope:eqversion:9

Trust: 1.0

vendor:opensslmodel:opensslscope:gteversion:3.2.0

Trust: 1.0

vendor:netappmodel:500fscope:eqversion: -

Trust: 1.0

vendor:netappmodel:a250scope:eqversion: -

Trust: 1.0

vendor:opensslmodel:opensslscope:ltversion:3.1.7

Trust: 1.0

vendor:netappmodel:c250scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:ruggedcom rst2428pscope:ltversion:v3.1

Trust: 0.6

vendor:siemensmodel:scalance xc-300/xr-300/xc-400/xr-500wg/xr-500 familyscope:ltversion:v3.1

Trust: 0.6

vendor:siemensmodel:scalance xcm-/xrm-/xch-/xrh-300 familyscope:ltversion:v3.1

Trust: 0.6

sources: CNVD: CNVD-2025-19346 // NVD: CVE-2024-6119

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2024-6119
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2024-6119
value: HIGH

Trust: 1.0

CNVD: CNVD-2025-19346
value: HIGH

Trust: 0.6

CNVD: CNVD-2025-19346
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2024-6119
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2024-6119
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2025-19346 // NVD: CVE-2024-6119 // NVD: CVE-2024-6119

PROBLEMTYPE DATA

problemtype:CWE-843

Trust: 1.0

sources: NVD: CVE-2024-6119

PATCH

title:Patch for Multiple vulnerabilities in Siemens SINEC OS third-party componentsurl:https://www.cnvd.org.cn/patchInfo/show/723071

Trust: 0.6

sources: CNVD: CNVD-2025-19346

EXTERNAL IDS

db:SIEMENSid:SSA-613116

Trust: 1.6

db:NVDid:CVE-2024-6119

Trust: 1.4

db:SIEMENSid:SSA-769027

Trust: 1.0

db:SIEMENSid:SSA-082556

Trust: 1.0

db:OPENWALLid:OSS-SECURITY/2024/09/03/4

Trust: 1.0

db:CNVDid:CNVD-2025-19346

Trust: 0.6

db:PACKETSTORMid:181321

Trust: 0.1

db:PACKETSTORMid:181323

Trust: 0.1

db:PACKETSTORMid:181646

Trust: 0.1

db:PACKETSTORMid:182524

Trust: 0.1

sources: CNVD: CNVD-2025-19346 // PACKETSTORM: 181321 // PACKETSTORM: 181323 // PACKETSTORM: 181646 // PACKETSTORM: 182524 // NVD: CVE-2024-6119

REFERENCES

url:https://cert-portal.siemens.com/productcert/html/ssa-613116.html

Trust: 1.6

url:https://openssl-library.org/news/secadv/20240903.txt

Trust: 1.1

url:http://www.openwall.com/lists/oss-security/2024/09/03/4

Trust: 1.0

url:https://cert-portal.siemens.com/productcert/html/ssa-082556.html

Trust: 1.0

url:https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6

Trust: 1.0

url:https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f

Trust: 1.0

url:https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2

Trust: 1.0

url:https://security.netapp.com/advisory/ntap-20240912-0001/

Trust: 1.0

url:https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0

Trust: 1.0

url:https://lists.freebsd.org/archives/freebsd-security/2024-september/000303.html

Trust: 1.0

url:https://cert-portal.siemens.com/productcert/html/ssa-769027.html

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-6119

Trust: 0.4

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://bugzilla.redhat.com/show_bug.cgi?id=2306158

Trust: 0.2

url:https://ubuntu.com/security/notices/usn-6986-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.4

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.18

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openssl

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6783.json

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2024:6783

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2024:8935

Trust: 0.1

url:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.json

Trust: 0.1

sources: CNVD: CNVD-2025-19346 // PACKETSTORM: 181321 // PACKETSTORM: 181323 // PACKETSTORM: 181646 // PACKETSTORM: 182524 // NVD: CVE-2024-6119

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 181646 // PACKETSTORM: 182524

SOURCES

db:CNVDid:CNVD-2025-19346
db:PACKETSTORMid:181321
db:PACKETSTORMid:181323
db:PACKETSTORMid:181646
db:PACKETSTORMid:182524
db:NVDid:CVE-2024-6119

LAST UPDATE DATE

2026-06-19T21:46:56.847000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-19346date:2025-08-22T00:00:00
db:NVDid:CVE-2024-6119date:2026-05-12T12:17:20.647

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-19346date:2025-08-12T00:00:00
db:PACKETSTORMid:181321date:2024-09-04T15:09:47
db:PACKETSTORMid:181323date:2024-09-04T15:11:16
db:PACKETSTORMid:181646date:2024-09-19T13:38:57
db:PACKETSTORMid:182524date:2024-11-06T19:15:15
db:NVDid:CVE-2024-6119date:2024-09-03T16:15:07.177