Siemens CPCI85 Firmware of SICAM A8000 Devices

Act Now9.8ICS-CERT ICSA-23-285-09Oct 10, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CPCI85 firmware of Siemens SICAM A8000 CP-8031 and CP-8050 communication processor modules contains a hard-coded SSH credential in the authorized_keys configuration file. An attacker with knowledge of this credential and network access to the SSH port can remotely log in to the device and execute arbitrary commands. Only devices with debug support explicitly activated are vulnerable. The vulnerability affects network communication and routing functions in substations and SCADA systems.

What this means

What could happen

An attacker with knowledge of the hard-coded SSH credential could gain remote command execution on SICAM A8000 communication processors, allowing them to modify network traffic routing, intercept SCADA communications, or interrupt control system operations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens SICAM A8000 platforms for substation communication and SCADA gateway functions. Specifically affects CP-8031 and CP-8050 communication processor modules. Only systems with debug support enabled are vulnerable, which is typically not enabled in production but may be present in test or legacy deployments.

How it could be exploited

An attacker with network access to the SSH port (default 22) on an affected CP-8031 or CP-8050 device can SSH directly to the device using the hard-coded credential embedded in the authorized_keys file. Once authenticated, they can execute arbitrary commands with the privileges of the SSH user, potentially including system configuration changes.

Prerequisites

Network access to SSH port on affected device (default port 22)
Device must have debug support activated (non-standard configuration)
Knowledge of the hard-coded SSH credential

Remotely exploitableNo authentication required (if attacker knows hard-coded credential)Low complexityAffects communications infrastructureHard-coded credentialsDebug mode must be explicitly activated (reduces attack surface)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CP-8050 MASTER MODULE (6MF2805-0AA00)<CPCI85 V05.11 only with activated debug supportCPCI85 V05.11 or later

CP-8031 MASTER MODULE (6MF2803-1AA00)<CPCI85 V05.11 only with activated debug supportCPCI85 V05.11 or later

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDImplement network firewall rules to restrict SSH access (port 22) to affected CP-8031 and CP-8050 devices, allowing only authorized engineering workstations or management networks

WORKAROUNDDisable debug support on any affected device if it is not required for current operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

CP-8031 MASTER MODULE (6MF2803-1AA00)

HOTFIXUpdate CP-8031 MASTER MODULE (6MF2803-1AA00) to CPCI85 firmware version V05.11 or later

CP-8050 MASTER MODULE (6MF2805-0AA00)

HOTFIXUpdate CP-8050 MASTER MODULE (6MF2805-0AA00) to CPCI85 firmware version V05.11 or later

Long-term hardening

0/2

HARDENINGSegment SICAM A8000 communication processors from the corporate network; place them behind a firewall and restrict access to authorized personnel only

HARDENINGFor remote access requirements, deploy a VPN with authentication controls to provide secure, monitored access to communication processors

CVEs (1)

CVE-2023-36380

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1c750e0-daee-43a0-ba86-408b58fb0157