Full Report
Multiple SICAM products are affected by vulnerabilities that could lead to privilege escalation, remote code execution or information loss namely: SICAM A8000 device firmwares CPC80 for CP-8000/CP-8021/CP-8022 CPCI85 and OPUPI0 for CP-8031/CP-8050 SICAM EGS firmware CPCI85 and OPUPI0 SICAM 8 Software Solution SICORE Siemens has released new versions for the affected firmwares and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Siemens SICAM Products Leading to RCE and Privilege Escalation
## CVE Details
This advisory covers three vulnerabilities:
| CVE ID | CVSS v3.1 Score (Severity) | CVSS v4.0 Score | CWE | Primary Impact |
| :--- | :--- | :--- | :--- | :--- |
| CVE-2024-31484 | N/A (High, implied by context of RCE/Priv Esc) | N/A | CWE-170 (Improper Null Termination) | Remote Code Execution (RCE) |
| CVE-2024-31485 | 7.2 (High) | 8.6 (Critical) | CWE-77 (Command Injection) | Arbitrary Code Execution with Root Privileges |
| CVE-2024-31486 | 5.3 (Medium) | 6.0 (Medium) | CWE-312 (Cleartext Storage) | Confidentiality Loss (Credential Exposure) |
*Note: The CVSS v3.1 vector for CVE-2024-31484 was truncated but the stated impacts (privilege escalation, RCE) suggest a high severity.*
## Affected Systems
| Product Group | Specific Affected Firmware/Software | Affected Versions | Configurations |
| :--- | :--- | :--- | :--- |
| **SICAM A8000 (CP-8000/CP-8021/CP-8022)** | CPC80 | All versions < V16.41 | Associated with CP-8000/CP-8021/CP-8022 |
| **SICAM A8000 (CP-8031/CP-8050)** | CPCI85 | All versions < V5.30 | Associated with CP-8031/CP-8050 |
| **SICAM A8000 (CP-8031/CP-8050)** | OPUPI0 | All versions < V5.30 | Associated with CP-8031/CP-8050 |
| **SICAM EGS** | CPCI85 and OPUPI0 | Specific versions depend on the underlying component versions listed above. | N/A |
| **SICAM 8 Software Solution** | SICORE Base System | All versions < V1.3.0 | N/A |
## Vulnerability Description
The advisory addresses several flaws across SICAM products:
1. **CVE-2024-31484 (Improper Null Termination):** Affects devices parsing a specific HTTP header due to an improper null termination vulnerability. This flaw could potentially lead to **Remote Code Execution**.
2. **CVE-2024-31485 (Command Injection):** The web interface of affected devices is vulnerable to command injection because of missing server-side input sanitation. This allows an **authenticated privileged remote attacker** to execute arbitrary commands with **root privileges**.
3. **CVE-2024-31486 (Cleartext Credential Storage):** Affected devices store MQTT client passwords without sufficient protection. An attacker with remote shell or physical access can retrieve these credentials, leading to **confidentiality loss**.
## Exploitation
| CVE | Status | Complexity | Attack Vector |
| :--- | :--- | :--- | :--- |
| **CVE-2024-31484** | Details suggest RCE potential, but exploitation status is not explicitly stated beyond the vulnerability existing. | N/A | N/A |
| **CVE-2024-31485** | Requires **Authenticated** and **Privileged** access. | Low (Implied by AV:N/AC:L) | Network |
| **CVE-2024-31486** | Requires **Remote Shell Access** or **Physical Access**. | Low (Implied by AV:N/AC:H in 3.1, but high access potential indicates active risk) | Network/Physical |
## Impact
| Confidentiality | Integrity | Availability |
| :--- | :--- | :--- |
| High (CVE-2024-31486) / High (CVE-2024-31485) | High (CVE-2024-31485/31484 lead to code execution) | High (Code execution can lead to outages) |
## Remediation
### Patches
Siemens strongly recommends updating to the latest versions provided in the corresponding packages:
* **CPC80:** Update to **V16.41 or later**. (Available in CP-8000/CP-8021/CP-8022 Package V16.41)
* **CPCI85 (for CP-8031/CP-8050):** Update to **V5.30 or later**. (Available in CP-8031/CP-8050 Package V5.30)
* **OPUPI0 (for CP-8031/CP-8050):** Update to **V5.30 or later**. (Available in CP-8031/CP-8050 Package V5.30)
* **SICORE Base system:** Update to **V1.3.0 or later**. (Available in SICAM 8 Software Solution Package V5.30)
### Workarounds
The advisory directs users to check product-specific sections for details, but generally recommends:
1. Adhering to **General Security Recommendations**.
2. For operators of critical power systems, ensuring **multi-level redundant secondary protection schemes** are in place, minimizing grid risk by design.
3. Implementing strong network protection mechanisms such as **firewalls, segmentation, and VPNs**.
4. Configuring the environment according to operational guidelines to run devices in a **protected IT environment**.
## Detection
Specific Indicators of Compromise (IOCs) were not detailed in the summary provided. Detection strategies focus on preventative measures:
* **Network Monitoring:** Watch for unusual communication patterns, especially utilizing HTTP headers (for CVE-2024-31484) or unexpected command execution calls on the web interface (for CVE-2024-31485).
* **Access Control Audit:** Verify that only authorized, privileged users have authenticated access to the web interface, as CVE-2024-31485 requires authentication.
* **File/Configuration Auditing:** Periodically check system configurations (if external access is gained) for unauthorized modifications or the observation of MQTT passwords stored in insecure formats (CVE-2024-31486).
## References
* Siemens Security Advisory SSA-871704 (Publication Date: 2024-05-14, Last Update: 2024-06-11)
* General Security Guidelines provided by Siemens: hXXps://www.siemens.com/gridsecurity