Security Experts:

Siemens Patches Authentication Bypass Bug in Telecontrol Product

Siemens has released a firmware update for SICAM MIC devices in order to patch a serious vulnerability reported to the company by an external researcher.

Siemens SICAM MIC, which is part of the SICAM RTU product family, is a modular telecontrol device designed for energy automation. The product is deployed worldwide in the energy and other sectors.

Siemens SICAM MIC

According to advisories published by Siemens and ICS-CERT, SICAM MIC devices are plagued by an authentication bypass vulnerability (CVE-2015-5386) that can be exploited remotely by an attacker with medium skill.

“Attackers with network access to the device’s web interface (port 80/tcp) could possibly circumvent authentication and perform administrative operations,” reads Siemens’ description of the vulnerability.

The bug was identified and reported to Siemens by Philippe Oechslin, founder of Swiss IT security consulting company Objectif Sécurité.

The flaw is considered a high severity issue (CVSS v2 base score of 8.3), but Siemens has pointed out that for the attack to work the attacker needs to have network access to the device’s web interface, and a legitimate user must be logged in to interface.

The security hole affects Siemens SICAM MIC devices running versions of the firmware prior to V2404. With the release of version V2404, Siemens has patched the authentication bypass issues and it has introduced further security improvements. The company advises customers to install the latest firmware update.

“As a general security measure Siemens strongly recommends to keep the firmware up-to-date and to protect network access to the SICAM MIC with appropriate mechanisms. It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment,” Siemens said in its advisory.

Related: Learn more at the ICS Cyber Security Conference

Related: Siemens Patches DoS, Other Vulnerabilities in SIMATIC HMI Products

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.