Full Report
Multiple SICAM products are affected by unauthorized password reset and firmware downgrade vulnerabilities that could lead to privilege escalation and potential leak of information, namely: SICAM A8000 Device firmware CPCI85 for CP-8031/CP-8050 SICAM EGS Device firmware CPCI85 SICAM 8 Software Solution SICORE Siemens has released new firmware versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Unauthorized Password Reset and Firmware Downgrade in Multiple SICAM Products
## CVE Details
- CVE ID: CVE-2024-37998, CVE-2024-39601
- CVSS Score: 9.8 (CVSS v3.1) / 9.3 (CVSS v4.0) for CVE-2024-37998. 6.5 (CVSS v3.1) / 7.1 (CVSS v4.0) for CVE-2024-39601.
- CWE: CWE-620 (Unverified Password Change Vulnerability) for CVE-2024-37998; CWE-306 (Missing Authentication for Critical Function) for CVE-2024-39601.
## Affected Systems
- Products:
- SICAM A8000 Device firmware
- CPCI85 for CP-8031/CP-8050
- SICAM EGS Device firmware
- CPCI85 (CPCI85 Central Processing/Communication)
- SICAM 8 Software Solution / SICORE Base system
- Versions:
- CPCI85: All versions < V5.40
- SICORE Base system: All versions < V1.4.0
- Configurations: CVE-2024-37998 specifically requires the "auto login feature" to be enabled.
## Vulnerability Description
Two primary vulnerabilities affect the specified SICAM products:
1. **CVE-2024-37998 (Privilege Escalation via Password Reset):** If the auto login feature is enabled on administrative accounts, an unauthorized attacker can reset the password for these administrative accounts without needing the current password. This can lead to complete administrative takeover.
2. **CVE-2024-39601 (Firmware Downgrade):** Affected devices permit a remote authenticated user, or an unauthenticated user with physical access, to downgrade the device firmware. This allows an attacker to revert the system to an older version potentially containing known, exploitable vulnerabilities.
The combined impact could lead to privilege escalation and potential information leakage.
## Exploitation
- Status: Not specified if exploited in the wild, but PoC context (vulnerability reporting) suggests exploitability.
- Complexity: Low (for CVE-2024-37998, AV:N/AC:L/PR:N/UI:N).
- Attack Vector: Network (for CVE-2024-37998); Network/Physical (for CVE-2024-39601).
## Impact
| Aspect | Impact Level |
| :--- | :--- |
| Confidentiality | High (due to potential administrative takeover) |
| Integrity | High (due to ability to downgrade firmware or change settings) |
| Availability | High (due to potential unauthorized access and manipulation) |
## Remediation
### Patches
- **CPCI85 (Central Processing/Communication):** Update to **V5.40 or later version**. (The firmware V5.40 is included in the "CP-8031/CP-8050 Package" V5.40).
- **SICORE Base system:** Update to **V1.4.0 or later version**. (The firmware V1.4.0 is included in the "SICAM 8 Software Solution Package" V5.40).
### Workarounds
- **For CVE-2024-37998:** Disable the **auto login feature** on affected products to prevent unauthorized password resets.
- General security measures (see Detection/Mitigation).
## Detection
- **Indicators of Compromise:** Unexpected password resets for administrative accounts; unauthorized firmware version changes detected on network monitoring tools.
- **Detection Methods and Tools:** Monitor system and application logs for successful/attempted administrative panel access following an unauthorized password change event. Check current firmware versions against patch baseline. Enforce network segmentation and access controls.
## References
- Vendor Advisories: SSA-071402 (Siemens Security Advisory)
- Relevant links:
- Siemens Update Portal 1 (CP-8031/CP-8050 Package): hxxps://support.industry.siemens.com/cs/ww/en/view/109804985/
- Siemens Update Portal 2 (SICAM 8 Software Solution Package): hxxps://support.industry.siemens.com/cs/ww/en/view/109818240/
- General Security Guidelines: hxxps://www.siemens.com/gridsecurity
- ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories