Siemens SICAM AK3/BC/TM

Plan Patch7.8ICS-CERT ICSA-24-165-09Jun 11, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SICAM AK3/BC/TM devices contain a buffer overflow vulnerability in firmware components (CPCX26, PCCX26, ETA4, ETA5) that could allow an attacker with local access to execute code in the process context or cause a denial of service condition. The vulnerability exists in CPCX26 for CP-2016 systems, PCCX26 for CP-2019 systems, and ETA4/ETA5 for SM-2558 systems. Siemens has released firmware updates addressing all affected products.

What this means

What could happen

An attacker with local access to a SICAM device could execute arbitrary code on the RTU or gateway, potentially allowing them to modify control logic, intercept commands to field devices, or force the device offline. This could disrupt communication between substations/field sites and the control center.

Who's at risk

SICAM product line used in substations and field sites for real-time automation and gateway communications. Operators of CP-2016 and CP-2019 central processing systems and SM-2558 station modules should prioritize assessment. Water authorities and utilities using SICAM for substation automation or remote terminal units need to evaluate their deployed versions and apply updates during scheduled maintenance windows.

How it could be exploited

An attacker with physical access or local network access to the device must trigger the buffer overflow through a crafted input or interaction with the firmware running on the affected communication/processing module. Successful exploitation results in code execution in the context of the running process.

Prerequisites

Local network access to the SICAM device
Ability to interact with the vulnerable firmware component (CPCX26, PCCX26, ETA4, or ETA5)
Device running affected firmware version

buffer overflow vulnerabilitylocal exploitation onlylow exploit probability (0.1% EPSS)affects industrial gateway/RTU communicationsno patch available for end-of-life versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

CPCX26 Central Processing/Communication<V06.0206.02

ETA4 Ethernet Interface IEC60870-5-104<V10.4610.46

ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2<V03.2703.27

PCCX26 Ax 1703 PE, Contr, Communication Element<V06.0506.05

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to SICAM devices using firewall rules; do not expose to internet

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CPCX26 firmware to V06.02 or later (included in SICAM RTUs AK3 Package V06.02)

HOTFIXUpdate PCCX26 firmware to V06.05 or later (included in SICAM RTUs AK3 Package V06.02)

HOTFIXUpdate ETA4 Ethernet interface firmware to V10.46 or later (included in SICAM RTUs AK3 Package V06.02)

HOTFIXUpdate ETA5 Ethernet interface firmware to V03.27 or later (included in SICAM RTUs AK3 Package V06.02)

Long-term hardening

0/2

HARDENINGLocate SICAM devices behind firewalls and isolate from business networks

HARDENINGImplement VPN for any required remote access to SICAM devices

CVEs (1)

CVE-2024-31484

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e4b9c4b8-3ec3-474f-a12d-a10dceec8fb9