Full Report
Affected SIPROTEC 5 devices do not properly limit the access of the web server to the filesystem. This could allow an authenticated remote attacker to read arbitrary files or the entire filesystem of the device. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Improper Limitation of Filesystem Access in Siemens SIPROTEC 5
## CVE Details
- **CVE ID:** CVE-2024-53649
- **CVSS Score:**
- CVSS v4.0: 7.1 (High)
- CVSS v3.1: 6.5 (Medium)
- **CWE:** CWE-552 (Files or Directories Accessible to External Parties)
## Affected Systems
- **Products:**
- SIPROTEC 5 - CP100 Devices (including 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82)
- SIPROTEC 5 - CP300 Devices (including 7VU85, 6MD89, 7ST85)
- SIPROTEC 5 Compact - CP050 Devices (7SX800)
- **Versions:**
- CP100: All versions ≥ V7.80 and < V9.80
- CP300: All versions < V9.80 (Note: some specific models may require V9.68/V9.90)
- CP050: All versions < V9.80
- **Configurations:** Systems with the integrated web server enabled.
## Vulnerability Description
Affected SIPROTEC 5 devices suffer from a path limitation flaw within the integrated web server. The web server does not properly restrict access to the underlying filesystem, allowing it to serve files outside of the intended web root. This technical flaw allows an attacker to bypass standard directory restrictions.
## Exploitation
- **Status:** Not reported as exploited in the wild; No public PoC mentioned in advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Requirement:** Authenticated access (Privileges Required: Low).
## Impact
- **Confidentiality:** High (An attacker can read arbitrary files or the entire device filesystem).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating affected products to the following versions:
- **SIPROTEC 5 (CP100, CP300, CP050):** Update to **V9.80** or later.
- **Specific CP300 Models:** For 6MD89, update to **V9.68** or later.
### Workarounds
- **Disable Web Server:** If the web interface is not required for operations, disabling the web server mitigates the vulnerability entirely.
- **Network Segmentation:** Ensure devices are situated within a protected IT/OT environment, behind firewalls, or accessible only via VPN.
- **Access Control:** Restrict network access to the web server to authorized management workstations only.
## Detection
- **Indicators of Compromise:** Unusual web server access logs showing requests for system files or directory traversal patterns (e.g., `../`).
- **Detection methods and tools:** Audit authenticated user activity on the device web interface; use Industrial Control System (ICS) aware firewalls to monitor for atypical HTTP traffic originating from the substation network.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-194557[.]pdf
- **Siemens Grid Security:** hxxps://www[.]siemens[.]com/gridsecurity
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories