Siemens SICAM P850 and P855 Devices

Act Now9.9ICS-CERT ICSA-22-286-09Oct 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Session fixation and multiple incorrect parameter parsing vulnerabilities in the web server of SICAM P850 and SICAM P855 devices could potentially lead to remote code execution. Affected versions: SICAM P850 and P855 before version 3.10.

What this means

What could happen

An attacker with access to the SICAM device web interface could exploit session fixation to hijack an operator's session and execute commands on the device, potentially altering grid control settings or disrupting power distribution operations.

Who's at risk

Siemens SICAM P850 and P855 are power system monitoring and control devices used in electric utilities and grid operators. These devices manage critical grid settings, protection coordination, and power flow monitoring. Organizations operating these devices in versions before 3.10 should prioritize patching.

How it could be exploited

An attacker would send a malicious link to a logged-in operator of a SICAM P850 or P855 device. By exploiting session fixation, the attacker could take over the operator's authenticated session and use parameter parsing vulnerabilities in the web server to execute arbitrary code on the device with the privileges of that operator.

Prerequisites

Network access to the SICAM device web server (typically port 80 or 443)
Victim must be logged in to the SICAM web interface
Victim must click a malicious link or be redirected to it while authenticated

remotely exploitableauthenticated access requiredsession hijacking possiblepotential for remote code executionaffects critical infrastructure (power grid)CVSS 9.9 (critical)

Exploitability

Moderate exploit probability (EPSS 1.8%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SICAM P850<V3.103.10

SICAM P855<V3.103.10

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDInstruct operators to avoid clicking links from untrusted sources while logged into SICAM devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SICAM P850

HOTFIXUpdate SICAM P850 devices to firmware version 3.10 or later

SICAM P855

HOTFIXUpdate SICAM P855 devices to firmware version 3.10 or later

Long-term hardening

0/3

HARDENINGImplement network segmentation to restrict web access to SICAM devices to authorized engineering workstations only

HARDENINGDeploy firewall rules to limit inbound access to SICAM device web ports from trusted networks

HARDENINGConsider using VPN or other authenticated access controls for remote connections to SICAM devices

CVEs (5)

CVE-2022-40226 CVE-2022-41665 CVE-2022-43439 CVE-2022-43545 CVE-2022-43546

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c25c74ed-c17b-4529-80da-b4f7ff82dd91