Full Report
SIMATIC CN 4100 is vulnerable to improper access control and insecure default configurations that could allow an attacker to gain privilege escalation, and bypass network isolation. Siemens has released an update for SIMATIC CN 4100 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Improper Access Control and Insecure Defaults in Siemens SIMATIC CN 4100
## CVE Details
- CVE ID: CVE-2023-29130 (Privilege Escalation) and CVE-2023-29131 (Bypass Network Isolation)
- CVSS Score: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C) for CVE-2023-29130; 7.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C) for CVE-2023-29131
- CWE: CWE-284: Improper Access Control (CVE-2023-29130); CWE-276: Incorrect Default Permissions (CVE-2023-29131)
## Affected Systems
- Products: SIMATIC CN 4100
- Versions: All versions prior to V2.5
- Configurations: N/A (vulnerabilities stem from default configurations and internal access controls)
## Vulnerability Description
The SIMATIC CN 4100 is affected by two primary issues:
1. **CVE-2023-29130 (Improper Access Control):** Flaws in the access controls configuration files allow a low-privilege attacker to gain administrative access, leading to complete device control (Privilege Escalation).
2. **CVE-2023-29131 (Insecure Default Configuration):** An incorrect default value in the SSH configuration can be leveraged by a low-privilege attacker to bypass intended network isolation.
## Exploitation
- Status: Exploitation in the Wild/PoC available (Indicated by CVSS vector prefix E:P - Proof of Concept or Exploitable)
- Complexity: Low (AC:L - Attack Complexity Low)
- Attack Vector: Network (AV:N)
## Impact
| Metric | CVE-2023-29130 (Privilege Escalation) | CVE-2023-29131 (Network Bypass) |
| :--- | :--- | :--- |
| Confidentiality | High (Complete device control) | Low |
| Integrity | High (Complete device control) | Low |
| Availability | High (Complete device control) | Low |
## Remediation
### Patches
- Update SIMATIC CN 4100 to **Version V2.5 or later**.
### Workarounds
- No specific workarounds are detailed in the summary, but the vendor strongly recommends following **General Security Recommendations** and implementing robust network access controls to protect devices.
- Review and adhere to Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Evidence of unauthorized privilege escalation to administrator level or unexpected network traffic patterns involving the SSH service bypassing expected controls.
- **Detection Methods and Tools:** Monitor access logs for suspicious authentication attempts or privilege changes. Utilize network monitoring to detect deviations from established network segmentation policies around the industrial device.
## References
- Vendor Advisory: SSA-313488
- Siemens Security Portal (For Advisory): hxxps://cert-portal.siemens.com/productcert/html/ssa-313488.html
- Siemens Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109814144/
- General Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- CWE Link: hxxps://cwe.mitre.org/