Investor RelationsPress RoomCOVID-19
  1. Home
  2. Support & Documentation
  3. Cybersecurity at Siemens Healthineers
  4. Siemens Healthineers Security Advisory

Siemens Healthineers Security Advisories 2024

SQL injection Vulnerability in syngo.plaza VB30E

Publication Date: 2024-12-06
Last Update: 2024-12-06
Current Version: V1.0
CVSS v3.1 Base Score: 9.8
CVSS v4.0 Base Score: 9.3

SUMMARY 

syngo.plaza VB30E contains unauthenticated SQL injection vulnerability that could allow an attacker to execute malicious SQL commands to compromise the database. Siemens Healthineers has released a new hot fix (HF05) for the syngo.plaza version VB30E and recommends to update to the latest version.

Affected Product and Versions

Remediation

syngo.plaza VB30E: 

All versions < VB30E_HF05 

affected by CVE-2024-52335

Update to VB30E_HF05 or later version

WORKAROUNDS AND MITIGATIONS 

Product specific remediations or mitigations can be found in the section Affected Products and Solution.

Please follow the General Security Recommendations.


GENERAL SECURITY RECOMMENDATIONS

In addition, Siemens Healthineers generelly recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. 

To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION

syngo.plaza is a Picture Archiving and Communication System intended to display, process, read, report, print communicate, distribute, store, and archive digital medical images, including mammographic images. It supports the physician in diagnosis and treatment planning.


VULNERABILITY CLASSIFICATION

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.


Vulnerability CVE-2024-52335

The affected application do not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database.

CVSS v3.1 Base Score:

9.8

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVSS v4.0 Base Score:

9.3

CVSS Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (’SQL Injection’)


ACKNOWLEDGMENTS 

Siemens Healthineers thanks the following parties for their efforts:

  • Felix Eberstaller and Bernhard Lorenz from Limes Security for coordinated disclosure


ADDITIONAL INFORMATION 

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link:

https://www.siemens-healthineers.com/support-documentation/cybersecurity


HISTORY DATA 

V1.0 (2024-11-28): Publication Date


TERMS OF USE

Th Siemens Healthineers’ Security Advisories are subject to the terms and conditions contained in Siemens Healthineers’ underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.