Several vulnerabilities patched recently by Siemens in some of its Sicam products could be exploited in attacks aimed at the energy sector.
Siemens informed customers in May that updates released for its Sicam A8000 remote terminal unit, Sicam EGS grid sensors, and Sicam 8 power automation software address two high-severity and one medium-severity flaws.
One of the security holes, CVE-2024-31484, is a buffer overread issue that can be exploited to read sensitive data from memory, which can lead to arbitrary code execution in the context of the current process or to a denial-of-service (DoS) condition.
The second vulnerability, CVE-2024-31485, is a command injection issue in the products’ web interface. It allows an attacker to intercept the username and password of users with elevated privileges, enabling them to execute arbitrary code as root.
The third issue, CVE-2024-31486, is related to MQTT client passwords being improperly protected, allowing an attacker who has physical or remote shell access to obtain the credentials.
In an advisory published in June, the industrial giant informed customers that CVE-2024-31484 also impacts — and has been patched in — SICAM AK3/TM/BC devices.
The impacted products are power grid solutions designed for substation automation.
Eviden-owned cybersecurity consultancy SEC Consult, whose researchers have been credited for finding these vulnerabilities, on Wednesday published an advisory detailing each of the vulnerabilities.
SEC Consult’s advisory reveals that CVE-2024-31484 was actually first reported to Siemens more than one year ago.
SEC Consult researcher Steffen Robertz has explained how an attacker could exploit these vulnerabilities in a real-world attack.
“An attacker needs to first gain network level access on port 443/80 in order to interact with the target,” Robertz told SecurityWeek. “By abusing CVE-2024-31484, the attacker can leak information from the global memory segment which can aid further attacks.”
The researcher added, “Further, if the attacker managed to obtain a low-privileged account for SICAM-WEB, it is possible to use CVE-2024-31485 to leak the password of an administrator. By switching to the admin account the attacker is able to reconfigure the PLC and thus destabilize the substation. All passwords will have to be changed after patching this vulnerability as their confidentiality cannot be guaranteed anymore.”
SEC Consult researchers previously discovered critical Siemens Sicam product vulnerabilities that could allow malicious hackers to destabilize a power grid.
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com
Related: Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA
Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability
