Siemens SICAM TOOLBOX II

Plan Patch7.8ICS-CERT ICSA-23-222-10Aug 8, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SICAM TOOLBOX II versions prior to 07.10 contain two local privilege escalation vulnerabilities (CWE-732 improper file permissions, CWE-250 insufficient privilege management). An attacker with a local user account on the system could escalate to elevated privileges and execute arbitrary code. This impacts the engineering workstation used to configure protection relays and SCADA automation for power systems. The vulnerabilities are not remotely exploitable.

What this means

What could happen

A local attacker with a user account on the SICAM TOOLBOX II system could execute arbitrary code with elevated privileges, potentially compromising the integrity of power system protection settings and control logic that are configured and managed through this tool.

Who's at risk

Power system operators (transmission and distribution) who use SICAM TOOLBOX II to configure and manage protection relays, SCADA logic, and automation schemes. This affects anyone responsible for secondary protection systems in electric grids who rely on this engineering workstation software.

How it could be exploited

An attacker with local access to the SICAM TOOLBOX II workstation and a valid user account can escalate privileges through improper file permission handling (CWE-732) to run code with elevated privileges, allowing them to modify protection schemes or automation logic before those changes are deployed to field devices.

Prerequisites

Local access to the SICAM TOOLBOX II workstation
Valid user account on the system (non-root/non-admin)
System running SICAM TOOLBOX II version prior to 07.10

Requires local access (reduces risk but workstation is often on-site)Low attack complexity once local access is gainedNo authentication required after initial logonAffects power system protection and control logic

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

SICAM TOOLBOX II<V07.1007.10

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict local account creation to trusted personnel only and limit the number of user accounts on the system

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM TOOLBOX II to version 07.10 or later

Long-term hardening

0/2

HARDENINGImplement local access controls to the SICAM TOOLBOX II workstation through physical security, locked rooms, or administrative restrictions

HARDENINGNetwork-segment the SICAM TOOLBOX II workstation from general business networks and internet access

CVEs (2)

CVE-2022-39062 CVE-2023-38641

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1a7ad51a-f413-497c-b98e-52306db72638