Full Report
The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 contains a hard-coded ID in the SSH authorized_keys configuration file. An attacker with knowledge of the corresponding credential could login to the device via SSH. Only devices with activated debug support are affected. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Hard-Coded SSH Credential in SICAM A8000 Firmware
## CVE Details
- CVE ID: CVE-2023-36380
- CVSS Score: 9.8 (Critical)
- CWE: CWE-798: Use of Hard-coded Credentials
## Affected Systems
- Products: SICAM A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) and CP-8050 MASTER MODULE (6MF2805-0AA00)
- Versions: All versions < CPCI85 V05.11
- Configurations: Only devices with *activated debug support* are affected.
## Vulnerability Description
The CPCI85 firmware used in the affected SICAM A8000 devices contains a hard-coded ID within the SSH `authorized_keys` configuration file. An attacker who possesses the corresponding private key matching this hard-coded credential can gain unauthorized access to the device via SSH.
## Exploitation
- Status: PoC available (Implied by CVSS 'E:P' - Proof of Concept code exists)
- Complexity: Low (CVSS AC:L - Low Attack Complexity)
- Attack Vector: Network (CVSS AV:N - Network)
## Impact
- Confidentiality: High Impact
- Integrity: High Impact
- Availability: High Impact
## Remediation
### Patches
- Update to CPCI85 firmware version V05.11 or later for both CP-8031 and CP-8050 modules.
### Workarounds
- Siemens recommends applying general security measures, including protecting network access via firewalls, segmentation, and VPNs, and ensuring devices run in a protected IT environment according to operational guidelines.
- Operators in critical power systems should verify that appropriate resilient protection measures (multi-level redundant secondary protection schemes) are in place as required by regulations.
## Detection
- Detection methods primarily involve reviewing SSH server access logs for suspicious logins using known keys or enumerating configuration files on affected systems if physical/remote access allows for file inspection.
- Indicators of Compromise (IoCs) would be unauthorized outbound or internal network activity originating from the device's IP address following an SSH login not attributable to legitimate maintenance staff.
## References
- Vendor Advisory: SSA-134651
- Siemens Support Link (for updates): hXXps://support.industry.siemens.com/cs/ww/en/view/109804985/
- Siemens Security Guidelines: hXXps://www.siemens.com/gridsecurity