Siemens recently addressed numerous vulnerabilities affecting its automation device A8000. The vulnerabilities even included a critical severity code execution flaw that could allow remote attacks from an unauthenticated adversary.
Siemens Automation Device Vulnerabilities
Researchers from SEC Consult have shared a detailed advisory highlighting numerous vulnerabilities they found in the Siemens A8000 automatic device.
Siemens A8000 is a modular telecontrol and automation device for energy supply areas, supporting a wide range of applications. The device facilitates grid optimization alongside catering to cybersecurity, communication, and engineering needs.
This widespread application of this device indicates how a security vulnerability, if exploited, can threaten power supply with a cascade effect.
SEC Consult researchers found four different vulnerabilities affecting Siemens A8000 CP-8050 and CP-8031 PLCs (Programmable Logic Controllers).
The first of these is a critical severity remote code execution flaw CVE-2023-28489 (CVSS 9.8). An unauthenticated attacker may exploit the flaw by sending maliciously crafted HTTP requests to port 80/443 of the PLC.
Then, the other important vulnerability is a high-severity command injection flaw (CVE-2023-33919; CVSS 7.2) that existed due to server-side input sanitation. An authenticated adversary could execute arbitrary commands on the target PLC with root privileges.
The other two vulnerabilities are medium-severity issues, each attaining a CVSS score 6.8. These include CVE-2023-33920, which existed due to hard-coded root password, and CVE-2023-33921, which exposed the UART interface to an attacker with physical access to the PCB. An adversary may chain CVE-2023-33920 and CVE-2023-33921 to gain root access to the UART interface.
Siemens Released Patches With Firmware Updates
The researchers found these vulnerabilities affecting the Siemens A8000 CP-8050 04.92 and Siemens A8000 CP-8031 04.92. Upon discovering the flaws in March 2023, the researchers responsibly disclosed the bugs to Siemens, following which the vendors started working on a fix.
Given the critical nature of CVE-2023-28489, researchers and the vendors agreed to go for its disclosure and fix first, addressing the issue by April 2023. Then, Siemens released the patches for the other three vulnerabilities in June. And finally, SEC Consult publicly shared the details and the PoCs for all four flaws in their advisory.
To receive the patches, users must ensure to update the devices to CPCI85 V05 or later.
Let us know your thoughts in the comments.