OTPulse
FeedAboutContact

Hard Coded SSH ID in CPCI85 Firmware of SICAM A8000 Devices

Act Now9.8SSA-134651Oct 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 master modules contains a hard-coded SSH key in the authorized_keys configuration file. An attacker with knowledge of this credential could gain SSH access to the device. Only devices with activated debug support are affected.

What this means
What could happen
An attacker with the hard-coded SSH credential could remotely log in to affected master modules and execute arbitrary commands, potentially disrupting SICAM A8000 communication and control operations across connected substations.
Who's at risk
Electric utilities and water authorities using Siemens SICAM A8000 systems with CP-8031 or CP-8050 master modules should be concerned. These modules manage communication and coordination across substations and pumping stations. Impact is limited to devices with debug support enabled.
How it could be exploited
An attacker sends an SSH connection request to the device using the hard-coded credential found in the firmware. If SSH is exposed to the network (whether directly or through a chain of compromised systems) and debug support is enabled, the attacker gains shell access to the master module.
Prerequisites
  • Network access to SSH port 22 on the master module
  • Debug support must be activated on the device
  • Knowledge of the hard-coded SSH credential (embedded in firmware)
remotely exploitableno authentication required (hard-coded credential)low complexityaffects critical infrastructure communication
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
CP-8050 MASTER MODULE (6MF2805-0AA00)All versions < CPCI85 V05.11 (only with activated debug support)CPCI85 V05.11
CP-8031 MASTER MODULE (6MF2803-1AA00)All versions < CPCI85 V05.11 (only with activated debug support)CPCI85 V05.11
Remediation & Mitigation
0/4
Do now
0/3
WORKAROUNDDisable debug support on all SICAM A8000 master modules if not required for operations
HARDENINGRestrict SSH access to master modules using firewall rules—only permit connections from engineering workstations and authorized management networks
HARDENINGVerify which devices have debug support enabled and prioritize patching those systems first
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CPCI85 firmware to version V05.11 or later on all CP-8031 and CP-8050 master modules
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7aa71e87-1786-4f92-9ddc-e19922a106a1