July 24, 2024 at 10:42AM
Siemens issued an out-of-band security advisory announcing patches for critical vulnerabilities in Sicam A8000, Enhanced Grid Sensor, and Sicam 8 software, impacting energy supply sector. One vulnerability allows unauthorized admin access, the other can enable firmware downgrading and code execution. Siemens has released firmware updates and mitigation measures, while SEC Consult will delay detailed advisory until September.
Based on the meeting notes provided, the following key takeaways can be highlighted:
Siemens has published an out-of-band security advisory announcing the availability of patches for potentially serious vulnerabilities affecting its Sicam power grid products, including Sicam A8000, Sicam Enhanced Grid Sensor (EGS), and Sicam 8 software.
Two vulnerabilities have been identified:
1. CVE-2024-37998 – Classified as critical severity, it allows an attacker to reset admin account passwords without knowing the current password if the auto-login feature is enabled, potentially leading to unauthorized administrative access.
2. CVE-2024-39601 – Assigned a medium severity rating, it allows a remote, authenticated attacker or an unauthenticated attacker with physical access to downgrade the device’s firmware to a vulnerable version, potentially enabling the installation of a backdoor account.
Cybersecurity consultancy SEC Consult, credited for reporting CVE-2024-39601, has decided to delay its own advisory until September to provide Siemens customers with time to patch the vulnerabilities.
Siemens has released firmware updates to address the vulnerabilities, and some workarounds and mitigations are also available.
It is unclear if the two vulnerabilities can be chained to conduct a remote, unauthenticated attack. This highlights potential risk and the need for immediate patching.
Additionally, SEC Consult has identified multiple Siemens product vulnerabilities in recent years and will issue an advisory with technical details in September.
This summary provides an overview of the key security vulnerabilities, the actions taken by Siemens, and important information regarding the timeline for addressing the issues.