Full Report
Session fixation and multiple incorrect parameter parsing vulnerabilities that could potentially lead to remote code execution were identified in the web server of SICAM P850 and SICAM P855 devices. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in SICAM P850 and P855 Web Server
## CVE Details
- **CVE ID:** CVE-2022-43439, CVE-2022-43545, CVE-2022-43546 (Note: Advisory implies multiple, these 3 are explicitly detailed)
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-20 (Improper Input Validation) / Session Fixation
## Affected Systems
- **Products:**
- SICAM P850 (Multiple model variants including 7KG8500 and 7KG8501)
- SICAM P855 (Multiple model variants including 7KG8550 and 7KG8551)
- **Versions:** All versions prior to V3.10
- **Configurations:** Devices with the web server enabled (typically port 443/tcp)
## Vulnerability Description
The web server component of the affected devices suffers from multiple input validation flaws and a session fixation vulnerability. Specifically, the software fails to properly sanitize the following parameters in requests to the web interface:
- `StartTime` parameter (CVE-2022-43439)
- `RecordType` parameter (CVE-2022-43545)
- `EndTime` parameter (CVE-2022-43546)
Due to these parsing errors, an authenticated attacker can trigger a buffer overflow or logic error, leading to a device crash (DoS) or the execution of arbitrary code in the context of the device.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total compromise of device data)
- **Integrity:** High (Ability to modify device settings/firmware)
- **Availability:** High (Device crash/reboot and potential persistent Denial of Service)
## Remediation
### Patches
- **SICAM P850 / P855:** Update to **V3.10** or later.
- Firmware can be obtained via the Siemens Industry Online Support portal.
### Workarounds
- Limit network access to the web interface (port 443/tcp) to trusted IP addresses only.
- Discontinue use of the web interface if not strictly required for operations.
- Ensure the device is isolated within a secure industrial network zone (e.g., following the IEC 62443 defense-in-depth model).
## Detection
- **Indicators of Compromise:**
- Unexpected reboots or device instability.
- Unauthorized configuration changes in device logs.
- Unusual HTTP POST requests containing long or malformed strings in `StartTime`, `EndTime`, or `RecordType` parameters.
- **Detection methods and tools:**
- Monitor network traffic to port 443/tcp using an Intrusion Detection System (IDS).
- Use vulnerability scanners to identify Siemens devices running firmware versions < V3.10.
## References
- Vendor Advisory (SSA-572005): hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-572005[.]pdf
- Siemens Support Portal: hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109743594/
- Siemens ProductCERT: hxxps[://]www[.]siemens[.]com/cert/advisories