Full Report
Multiple vulnerabilities were identified in the web server of the SICAM GridEdge application which includes missing authentication for critical API functions, absent cross-origin resource sharing restrictions and access to credentials. Siemens has released a new version for SICAM GridEdge (Classic) and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Web Server Vulnerabilities in SICAM GridEdge
## CVE Details
- **CVE ID:** CVE-2022-30230
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
- **CVE ID:** CVE-2022-30228
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-346 (Origin Validation Error)
- **CVE ID:** CVE-2022-30229
- **CVSS Score:** 7.2 (High)
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
- **CVE ID:** CVE-2022-30231
- **CVSS Score:** 4.9 (Medium)
- **CWE:** CWE-402 (Resource Leak)
## Affected Systems
- **Products:** SICAM GridEdge (Classic)
- **Versions:** All versions prior to V2.6.6
- **Configurations:** Systems with the web server enabled (specifically utilizing port 8900/tcp).
## Vulnerability Description
Multiple security flaws exist within the SICAM GridEdge web server environment:
- **Authentication Bypasses (CVE-2022-30230, CVE-2022-30229):** The application fails to enforce authentication for privileged API functions. This allows unauthenticated attackers to create new administrative accounts or modify existing user data (including credentials) if the User ID is known.
- **CORS Misconfiguration (CVE-2022-30228):** Lack of Cross-Origin Resource Sharing restrictions allows for Cross-Site Request Forgery (CSRF) style attacks, where an attacker can execute malicious requests via a victim's browser session.
- **Information Disclosure (CVE-2022-30231):** The system permits the retrieval of password hashes of other users, allowing a high-privileged user to potentially escalate or pivot by cracking hashes of other accounts.
## Exploitation
- **Status:** Not reported as exploited in the wild; PoC status not explicitly listed, but technical details suggest low barrier to entry.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to password hashes and user data)
- **Integrity:** High (Ability to create admin accounts and modify user credentials)
- **Availability:** High (Total control over the application functions)
## Remediation
### Patches
- **Update to SICAM GridEdge V2.6.6 or later.**
- Download Link: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109780559/
### Workarounds
- **Network Filtering:** Precisely limit access to port **8900/tcp** to only trusted users and management systems.
- **Segmentation:** Isolate the SICAM GridEdge device within a protected IT/OT environment behind firewalls or VPNs.
## Detection
- **Indicators of Compromise:**
- Presence of unauthorized administrative accounts.
- Unexpected configuration changes or credential resets.
- Unusual traffic originating from the web server port (8900/tcp).
- **Detection Methods:** Monitor web server access logs for requests to user creation or credential modification endpoints originating from unauthorized IP addresses.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-631336[.]html
- **Siemens Grid Security Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity
- **Contact:** hxxps://www[.]siemens[.]com/cert/advisories