Full Report
SiPass integrated ACC (Advanced Central Controller) devices do not properly check the integrity of firmware updates. This could allow an attacker to upload a maliciously modified firmware onto the device. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Improper Integrity Check for SiPass Integrated ACC Firmware Updates
## CVE Details
- CVE ID: CVE-2022-31807
- CVSS Score: 6.2 (Medium) [CVSS v3.1] / 8.2 (High) [CVSS v4.0]
- CWE: CWE-347: Improper Verification of Cryptographic Signature
## Affected Systems
- Products: SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP
- Versions: All versions affected
- Configurations: Devices running the firmware targeted by unverified updates.
## Vulnerability Description
Affected SiPass integrated Advanced Central Controller (ACC) devices fail to properly check the integrity of firmware updates before installation. This bypass allows an attacker to install maliciously modified firmware. This can be accomplished either by a local attacker uploading modified firmware directly, or by a remote attacker who can intercept the firmware transfer between the server and the device, modifying the firmware "on the fly."
## Exploitation
- Status: PoC available (Implied by description of local/intercepted modification scenarios, though explicit PoC availability isn't confirmed as "publicly available" in the text, the mechanism is detailed.)
- Complexity: Low (CVSS v3.1: AC:L)
- Attack Vector: Network (Remote injection via interception) and Local (Direct upload)
## Impact
- Confidentiality: No impact (N)
- Integrity: High (H) - Malicious firmware can be installed, leading to potential system compromise.
- Availability: No impact (N) *Note: CVSS v3.1 vector suggests N/A, but integrity compromise could lead to availability loss.*
## Remediation
### Patches
- Currently no fix is planned for the affected versions of SiPass integrated AC5102 (ACC-G2) and ACC-AP.
### Workarounds
- **Enable TLS for communication:** This mitigates the risk posed by on-path attackers who intercept and modify firmware during transmission.
- **General Security Recommendations:** Protect network access to affected products using appropriate mechanisms and operate devices in a protected IT environment. (Note: TLS enablement is supported starting firmware V6.5.1 on ACC devices.)
## Detection
- **Indicators of Compromise:** Installation of unauthorized or unexpected firmware versions on the ACC devices.
- **Detection Methods and Tools:** Network monitoring to check for non-TLS firmware update transmissions (if TLS is the intended mechanism), and regular device integrity checks.
## References
- Siemens ProductCERT Advisory SSA-367714: [https://cert-portal.siemens.com/productcert/html/ssa-367714.html](https://cert-portal.siemens.com/productcert/html/ssa-367714.html)
- Siemens General Security Recommendations: [https://cert-portal.siemens.com/productcert/html/ssa-367714.html#general-recommendations](https://cert-portal.siemens.com/productcert/html/ssa-367714.html#general-recommendations)