Full Report
During establishment of a https connection to the TLS server of a managed device, SICAM TOOLBOX II improperly validates that device’s certificate. This could allow an attacker to execute an on-path network (MitM) attack. Siemens has released a new version for SICAM TOOLBOX II and recommends to update to the latest version. The chapter “Additional Information” provides additional guidance how to prevent on-path network attacks.
Analysis Summary
# Vulnerability: Certificate Validation Flaw in SICAM TOOLBOX II Leading to MitM Attacks
## CVE Details
- CVE ID: CVE-2024-31853, CVE-2024-31854
- CVSS Score: 8.1 (CVSS v3.1) [High]
- CWE: CWE-295: Improper Certificate Validation
## Affected Systems
- Products: SICAM TOOLBOX II
- Versions: All versions prior to V07.11
- Configurations: Occurs during establishment of an HTTPS connection to a managed device's TLS server.
## Vulnerability Description
The vulnerability stems from improper certificate validation performed by SICAM TOOLBOX II when establishing an HTTPS connection to a managed device's TLS server.
**CVE-2024-31853:** The application fails to check the **extended key usage attribute** of the device's certificate.
**CVE-2024-31854:** The application fails to check the device's **certificate common name (CN)** against an expected value.
Both flaws allow an attacker to potentially conduct an on-path network (Man-in-the-Middle, MitM) attack.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC is likely implied given the nature of CVSS.
- Complexity: Medium (CVSS AV:N/AC:H suggests network accessible but requires specific conditions/attacker interaction).
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Update SICAM TOOLBOX II to version **V07.11 or later**.
- Relevant Siemens support link: hxxps://support.industry.siemens.com/cs/ww/en/view/109822197/
### Workarounds
1. **General Security Recommendations:** Protect network access using appropriate mechanisms (e.g., firewalls, segmentation, VPN).
2. **Configuration:** Configure the environment according to Siemens operational guidelines to ensure operation in a protected IT environment (reference hxxps://www.siemens.com/gridsecurity).
3. **Device Firmware:** For the fix related to CVE-2024-31854 to be effective for devices CP-8000/8021/8022, CP-8050/31, and SICAM AK3, the **latest firmware must be installed** on those managed devices to enable proper certificate trust handling in the updated SICAM TOOLBOX II.
## Detection
- Detection methods rely on monitoring TLS handshake anomalies or identifying unauthorized connection attempts to managed devices.
- Specific Indicators of Compromise (IOCs) are not detailed in this summary, focusing instead on applying the patch.
## References
- Vendor Advisory: SSA-183963
- Siemens ProductCERT Contact portal: hxxps://www.siemens.com/cert/advisories