Siemens SICAM A8000

Monitor6.6ICS-CERT ICSA-24-011-08Jan 9, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

The CPCI85 firmware in Siemens SICAM A8000 CP-8031 (6MF2803-1AA00) and CP-8050 (6MF2805-0AA00) master modules contains a command injection vulnerability. An authenticated remote attacker could inject commands during the device startup process that execute with root privileges. The vulnerability requires high attack complexity and valid credentials with network configuration modification rights. Siemens has released CPCI85 V05.20 to correct this issue.

What this means

What could happen

An authenticated attacker could inject commands into the device startup process that execute with root privileges, allowing them to take control of the CP-8031 or CP-8050 master module and potentially disrupt communication or monitoring functions in the SICAM A8000 system.

Who's at risk

Water utilities and municipal electric utilities operating Siemens SICAM A8000 substation automation systems should care about this issue. Specifically, this affects organizations using CP-8031 or CP-8050 master modules for communication and control coordination in substations.

How it could be exploited

An attacker with valid credentials for network configuration changes could craft a malicious command injection payload. This payload would be executed during device startup with root-level privileges, potentially allowing the attacker to modify system settings, disable monitoring, or disrupt the master module's ability to manage the substation automation system.

Prerequisites

Valid credentials for network configuration modification on the device
Network access to the CP-8031 or CP-8050 master module
Ability to trigger or wait for device startup/reboot
Firmware version below CPCI85 V05.20

Requires valid credentials for exploitationHigh attack complexityRequires device restart to execute injected commandsAffects critical substation automation master modules

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CP-8031 MASTER MODULE (6MF2803-1AA00)<CPCI85 V05.20CPCI85 V05.20 or later

CP-8050 MASTER MODULE (6MF2805-0AA00)<CPCI85 V05.20CPCI85 V05.20 or later

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGReview and restrict the list of users allowed to modify network configuration on the device

HARDENINGEnforce strong password requirements for accounts that can modify network configuration

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CP-8031 MASTER MODULE to CPCI85 V05.20 or later version

HOTFIXUpdate CP-8050 MASTER MODULE to CPCI85 V05.20 or later version

Long-term hardening

0/3

HARDENINGRestrict network access to the CP-8031 and CP-8050 modules behind a firewall; do not expose to the internet

HARDENINGIsolate SICAM A8000 control system network from business networks using appropriate network segmentation

HARDENINGIf remote access is required, use a Virtual Private Network (VPN) with current patches

CVEs (1)

CVE-2023-42797

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/021a3357-32ae-41fc-8ca5-c3050f2bf01d