Full Report
SIMATIC CN 4100 is vulnerable to authorization bypass through user-controlled key, use of default credentials and unauthenticated IP address change that could allow an attacker to remotely login as root or cause denial of service condition of the device. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SIMATIC CN 4100
## CVE Details
- **CVE ID:** CVE-2023-49621, CVE-2023-49251, CVE-2023-49252
- **CVSS Score:** 9.8 (Critical - Maximum Base Score)
- **CWE:**
- CWE-1392: Use of Default Credentials
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-20: Improper Input Validation
## Affected Systems
- **Products:** SIMATIC CN 4100 (Communication Node for process control technology)
- **Versions:** All versions prior to V2.7
- **Configurations:** Systems in the "intermediate installation" state are particularly susceptible to credential injection and default credential exploitation.
## Vulnerability Description
Three distinct security flaws exist within the SIMATIC CN 4100 communication node:
1. **Administrative Default Credentials (CVE-2023-49621):** During the "intermediate installation" phase, the device uses hardcoded default credentials with administrative privileges, allowing full device takeover.
2. **Authorization Bypass (CVE-2023-49251):** An attacker can inject their own login credentials into the device during the installation state. These credentials persist even after the device is fully set up, granting permanent root-level remote access.
3. **Unauthenticated Configuration Change (CVE-2023-49252):** The application allows network IP address changes without requiring authentication, which can be used to disconnect the device from the network.
## Exploitation
- **Status:** PoC Available (Exploitation is reported as "Proof of Concept" in the CVSS vector [E:P])
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to device data and root-level system files)
- **Integrity:** High (Ability to modify device configuration and inject unauthorized credentials)
- **Availability:** High (Potential for permanent Denial of Service (DoS) via IP address modification or system takeover)
## Remediation
### Patches
Siemens recommends updating affected devices to the following version:
- **SIMATIC CN 4100:** Update to **V2.7** or later.
- **Download link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109814144/
### Workarounds
- **Network Isolation:** Protect network access to devices using firewalls and VLAN segmentation.
- **Operational Guidelines:** Adhere to Siemens' Industrial Security operational guidelines to ensure the device is operated within a protected IT/OT environment.
## Detection
- **Indicators of Compromise:**
- Presence of unauthorized user accounts or SSH keys with root privileges.
- Unexpected changes to management IP addresses.
- Log entries indicating successful logins using default manufacturer credentials.
- **Detection methods and tools:** Monitoring of network traffic for unauthorized configuration requests to the device and routine auditing of user account lists.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-777015[.]pdf
- **Siemens Industrial Security Home:** hxxps://www.siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security