OTPulse
FeedAboutContact

Siemens SICAM TOOLBOX II

Act Now9.9ICS-CERT ICSA-22-223-06Aug 11, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

SICAM TOOLBOX II contains a hardcoded credentials vulnerability in the Oracle database listener (CWE-798). The database port 1522 is exposed by default, allowing an attacker with valid engineering credentials to connect directly to the underlying Oracle database and access all database contents, bypassing application-level access controls. This affects all versions of SICAM TOOLBOX II and impacts operators of critical power protection systems and secondary protection schemes.

What this means
What could happen
An attacker with engineering credentials could access the SICAM TOOLBOX II database directly through port 1522, allowing them to view, modify, or delete critical power system protection settings and configuration data.
Who's at risk
Operators of critical power systems (TSOs, DSOs, utilities) who use Siemens SICAM TOOLBOX II for managing secondary protection schemes and relay coordination settings. This includes transmission operators, distribution operators, and any organization operating critical infrastructure power protection systems.
How it could be exploited
An attacker with valid engineering workstation credentials connects to port 1522/tcp on the SICAM TOOLBOX II server. The database port is exposed to the network without authentication/IP restriction. The attacker gains direct access to the underlying Oracle database, bypassing application-level access controls.
Prerequisites
  • Valid engineering workstation credentials for SICAM TOOLBOX II
  • Network access to port 1522/tcp on the SICAM TOOLBOX II server
  • Database port exposed on network or accessible from attacker's network segment
Remotely exploitable via network portAffects power system protection configurationRequires valid credentials but no additional authentication once port is reachedHardcoded/default credential exposure (CWE-798)Low complexity exploitationData access to critical infrastructure settings
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
SICAM TOOLBOX IIAll versionsV7.01 HF01 or later
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDIf hotfix cannot be immediately deployed, restrict port 1522/tcp access to localhost only or specific trusted IP addresses using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall SICAM TOOLBOX II hotfix V7.01 HF01, which disables port 1522 in the Oracle LISTENER.ORA configuration by default
Long-term hardening
0/2
HARDENINGIsolate SICAM TOOLBOX II network segment behind a firewall and restrict access from general business networks
HARDENINGEnsure SICAM TOOLBOX II is not directly accessible from the Internet; require VPN or bastion host for remote engineering access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7810ef2d-7f9c-4d4b-b8fd-2c99c77a75a2
Siemens SICAM TOOLBOX II | CVSS 9.9 - OTPulse