Full Report
SICAM T before V3.0 contain multiple vulnerabilities. These include critical issues such as improper parameter and input validation, various Cross-Site Scripting (XSS) vulnerabilities , and a Cross-Site Request Forgery (CSRF) vulnerability . Additional weaknesses comprise session fixation, authentication and authorization bypasses , missing HTTPS protection, and missing cookie protection flags. These issues could potentially lead to remote code execution, denial of service, unauthorized access to web-interface functionality, session hijacking, impersonation of legitimate users, or allow an attacker to perform arbitrary actions on the device on behalf of a user. Siemens has released a new version for SICAM T and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Siemens SICAM T
## CVE Details
- **CVE IDs:**
- **Critical:** CVE-2022-43439 (9.9), CVE-2022-41665 (9.8)
- **High:** CVE-2022-29881 (7.5), CVE-2022-29878 (7.5), [and others]
- **Medium/Low:** CVE-2023-31238 (5.5), CVE-2023-30901 (4.3)
- **CVSS Score:** 9.9 (Critical) / 9.3 (CVSS v4.0)
- **CWE:** CWE-20 (Improper Input Validation), CWE-141 (Improper Neutralization of Parameters), CWE-384 (Session Fixation), CWE-352 (CSRF), CWE-732 (Incorrect Permission Assignment).
## Affected Systems
- **Products:** SICAM T Digital Measurement Transducer
- **Versions:** All versions prior to V3.0
- **Configurations:** Devices with the web interface enabled (typically port 443/tcp).
## Vulnerability Description
SICAM T devices suffer from a cumulative set of security weaknesses in their web management interface. The most severe flaws (CVE-2022-43439 and CVE-2022-41665) involve improper validation of GET request parameters and the "Language-parameter." These allow attackers to manipulate the program counter or cause memory corruption. Additional flaws include a lack of CSRF protection, session fixation vulnerabilities, and missing cookie flags, which collectively compromise the integrity of the administrative session management.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Proof-of-Concept").
- **Complexity:** Low to High (depending on the specific CVE; RCE is Low complexity for CVE-2022-41665).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential for full data access/session hijacking)
- **Integrity:** High (Remote Code Execution and unauthorized configuration changes)
- **Availability:** High (Denial of Service/Device crashing)
## Remediation
### Patches
- **Upgrade to V3.0 or later:** Siemens has released a firmware update that addresses all listed vulnerabilities.
- Download link: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109743625/
### Workarounds
- **Network Segmentation:** Restrict access to port 443/tcp to trusted IP addresses only.
- **Access Control:** Do not click links from untrusted sources while logged into the SICAM T web interface.
- **General Hardening:** Use firewalls and VPNs to ensure the device is not reachable from the open internet.
## Detection
- **Indicators of Compromise:** Unusual device reboots, unauthorized changes to measurement assignments, or unexpected administrative logins.
- **Detection methods and tools:** Monitor network traffic for malformed GET requests targeting the web interface parameters. Audit web server logs for suspicious "Language-parameter" strings.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-471761[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Operational Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity