Analysis Summary

Recently, Siemens patched several vulnerabilities in its Sicam products, which are crucial for the energy sector. In May, Siemens informed its customers about updates for the Sicam A8000 remote terminal unit, Sicam EGS grid sensors, and Sicam 8 power automation software that address two high-severity and one medium-severity flaws.

The first vulnerability, CVE-2024-31484, is a buffer overread issue. This flaw allows attackers to read sensitive data from memory, potentially leading to arbitrary code execution within the current process or causing a denial-of-service (DoS) condition. The second vulnerability, CVE-2024-31485, is a command injection issue in the web interface of the products. It enables attackers to intercept the username and password of users with elevated privileges, allowing them to execute arbitrary code as root. The third issue, CVE-2024-31486, involves improperly protected MQTT client passwords, which can be exploited by attackers with physical or remote shell access to obtain the credentials.

In June, Siemens published an advisory noting that CVE-2024-31484 also affects and has been patched in SICAM AK3/TM/BC devices. These impacted products are designed for substation automation.

The vulnerabilities were discovered by a researcher, credited with finding these vulnerabilities, detailed each flaw in an advisory published on Wednesday. The advisory reveals that CVE-2024-31484 was initially reported to Siemens over a year ago.

A researcher, explained the real-world exploitation of these vulnerabilities. He stated that an attacker needs network-level access on ports 443 or 80 to interact with the target. By exploiting CVE-2024-31484, the attacker can leak information from the global memory segment, aiding further attacks. If the attacker gains access to a low-privileged account on SICAM-WEB, they can use CVE-2024-31485 to obtain the administrator's password. By switching to the admin account, the attacker can reconfigure the PLC, potentially destabilizing the substation. Following the patching of this vulnerability, all passwords need to be changed, as their confidentiality can no longer be guaranteed.

Previously, these researchers identified critical vulnerabilities in Siemens Sicam products that could allow malicious actors to destabilize a power grid.

Impact

• Denial of Service
• Unauthorized Access
• Remote Code Execution
• Information Theft

Indicators of Compromise

CVE

• CVE-2024-31484
• CVE-2024-31485
• CVE-2024-31486

Affected Vendors

Affected Products

• Siemens CPCI85 Central Processing/Communication 5.20
• Siemens SICORE Base system 1.2.0
• Siemens OPUPI0 AMQP/MQTT 5.20
• Siemens CPC80 Central Processing/Communication 16.40

Remediation

• Refer to Siemens Security Advisory for patch, upgrade, or suggested workaround information.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.