Full Report
The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by a command injection vulnerability that could allow an authenticated remote attacker to inject commands that are executed on the device with root privileges during device startup. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Command Injection in Siemens SICAM A8000 CPCI85 Firmware
## CVE Details
- **CVE ID:** CVE-2023-42797
- **CVSS Score:** 6.6 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
- **CWE:** CWE-908: Use of Uninitialized Resource
## Affected Systems
- **Products:**
- CP-8031 MASTER MODULE (6MF2803-1AA00)
- CP-8050 MASTER MODULE (6MF2805-0AA00)
- **Versions:** All versions prior to CPCI85 V05.20.
- **Configurations:** Systems where authenticated users have permissions to modify and upload network configurations.
## Vulnerability Description
The network configuration service in the CPCI85 firmware contains a flaw in how IPv4 addresses are converted and processed. Specifically, the service may allow an uninitialized variable to be used during validation steps. An authenticated remote attacker can exploit this by uploading a specially crafted network configuration file. This allows for the injection of commands that are executed with **root privileges** during the subsequent device startup sequence.
## Exploitation
- **Status:** Proof of Concept (PoC) available (noted as "E:P" in the CVSS vector). No reports of active exploitation in the wild.
- **Complexity:** High (Requires crafting a specific configuration and triggers only during device startup).
- **Attack Vector:** Network (Requires High Privileges/Authentication).
## Impact
- **Confidentiality:** High (Full access to system data via root shell).
- **Integrity:** High (Ability to modify system files and configuration).
- **Availability:** High (Ability to disrupt device operations or cause permanent denial of service).
## Remediation
### Patches
Siemens recommends updating the affected master modules to the following version:
- **CP-8031 & CP-8050:** Update to **CPCI85 V05.20** or later.
- Update files can be found via the Siemens Support portal: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109804985/
### Workarounds
- **User Management:** Audit and restrict the list of users authorized to modify network configurations.
- **Password Hygiene:** Enforce strong password policies for all authenticated accounts.
- **Network Segmentation:** Protect access via firewalls and VPNs, ensuring devices are not exposed to untrusted networks.
## Detection
- **Indicators of Compromise:**
- Unauthorized or unusual entries in the network configuration files.
- Unexpected reboots followed by unauthorized system changes.
- **Detection methods and tools:**
- Monitor log files for configuration upload events from unexpected IP addresses or user accounts.
- Consistency checks between intended network configurations and active device settings.
## References
- **Vendor Advisory:** [SSA-583634](hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-583634[.]pdf)
- **Siemens Grid Security Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories