Siemens this week published an out-of-band security advisory to announce the availability of patches for a couple of potentially serious vulnerabilities affecting some of its Sicam power grid products.
The industrial giant informed customers that its Sicam A8000 product, which is a remote terminal unit (RTU) designed for telecontrol and automation in the energy supply sector, as well as the Sicam Enhanced Grid Sensor (EGS), and the Sicam 8 software are impacted.
One of the vulnerabilities, tracked as CVE-2024-37998 and classified as ‘critical severity’, allows an attacker to reset the password of admin accounts without knowing the current password, if the auto-login feature is enabled.
“This could allow an unauthorized attacker to obtain administrative access of the affected applications,” Siemens said in its advisory.
CVE-2024-37998 was discovered internally.
The second vulnerability, identified as CVE-2024-39601 and assigned a ‘medium severity’ rating, allows a remote, authenticated attacker — or an unauthenticated attacker who has physical access — to downgrade the device’s firmware to a version that is known to have vulnerabilities.
Eviden-owned cybersecurity consultancy SEC Consult, whose researchers have been credited for reporting CVE-2024-39601, told SecurityWeek that the vulnerability can be exploited to downgrade the firmware and execute arbitrary code, which can enable an attacker to install a backdoor account.
It’s unclear if the two vulnerabilities can be chained to conduct a remote, unauthenticated attack.
SEC Consult said it will delay its own advisory, which will contain some technical details, until September to give Siemens customers time to patch.
Siemens has released firmware updates to address the vulnerabilities, and some workarounds and mitigations are also available.
SEC Consult has found several Siemens product vulnerabilities in recent years, including other potentially serious issues that could facilitate attacks on the energy sector, and even ones that could allow hackers to destabilize a power grid.
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com
Related: FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating
Related: Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process
Related: ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories
