Full Report
The web server in the CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by a path traversal vulnerability that could allow an authenticated remote attacker to traverse directories on the system, download arbitrary files and potentially escalate privileges to the administrator role. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Path Traversal in SICAM A8000 CPCI85 Firmware Web Server
## CVE Details
- CVE ID: CVE-2023-42796
- CVSS Score: 7.5 (High)
- CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
- Products: SICAM A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) and CP-8050 MASTER MODULE (6MF2805-0AA00), utilizing CPCI85 firmware.
- Versions: All versions of CPCI85 firmware prior to V05.11.
- Configurations: Affects the integrated web server component. Requires authenticated access.
## Vulnerability Description
The web server component within the CPCI85 firmware fails to properly sanitize user input specifically for the `/sicweb-ajax/tmproot/` endpoint. This flaw allows an authenticated remote attacker to perform directory traversal, enabling them to download arbitrary files from the underlying system. Furthermore, by exploiting active session IDs, the attacker could potentially escalate their privileges to the administrator role.
## Exploitation
- Status: PoC available (Implied by CVSS Environmental Score metrics E:P - Proof of Concept)
- Complexity: High (Requires Authentication - PR:L)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (Ability to download arbitrary files)
- Integrity: High (Potential for privilege escalation to administrator)
- Availability: High (Implied high impact due to file access/privilege escalation)
## Remediation
### Patches
- Update the CPCI85 firmware to **V05.11 or a later version**.
### Workarounds
1. **Restrict Network Access:** Limit network access to the integrated web server using appropriate mechanisms (e.g., firewalls, network segmentation, VPNs).
2. **User Management:** Review the list of users permitted to log into the integrated web server and enforce the usage of strong passwords.
3. **General Security:** Implement multi-level protection schemes as recommended for critical power systems, and configure the environment following Siemens operational guidelines.
## Detection
- **Indicators of Compromise:** Look for unusual file access patterns originating from the web server process, particularly attempts to access sensitive operating system files or configuration directories. Look for session manipulation attempts or unexpected privilege changes in system logs.
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting authenticated web requests to the `/sicweb-ajax/tmproot/` endpoint for path traversal sequences (e.g., `../`).
## References
- Vendor Advisories: SSA-770890
- Siemens Support Link for Update Information: hxxps://support.industry.siemens.com/cs/ww/en/view/109804985/