Full Report
Serious vulnerabilities allowing attackers to execute code remotely and bypass authentication have been identified in Siemens SICAM RTU modules. Disabling the integrated web server is recommended to reduce risk.
Analysis Summary
# Vulnerability: Multiple Security Flaws in Siemens SICAM RTU Modules
## CVE Details
- **CVE ID:** CVE-2017-12737
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication)
*Note: The primary advisory (SSA-892715) covers the most critical flaw (authentication bypass); however, several related CVEs often accompany this product family.*
## Affected Systems
- **Products:** Siemens SICAM RTUs (Remote Terminal Units)
- **Versions:**
- SICAM MIC (all versions)
- SICAM RTU (all versions)
- SICAM EMIC (all versions)
- **Configurations:** Systems where the integrated web server (Web-based Management) is enabled.
## Vulnerability Description
The vulnerability is rooted in an improper authentication mechanism within the integrated web server. An attacker can bypass authentication by sending specially crafted HTTP requests to the web server of the affected device. Once the authentication is bypassed, the attacker can gain unauthorized access to the management interface, which allows for administrative configuration changes and potentially the execution of arbitrary code or commands through the web interface's diagnostic tools.
## Exploitation
- **Status:** Vulnerabilities known; proof-of-concept potential is high given the nature of the flaw.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to system configurations and sensitive data)
- **Integrity:** High (Ability to modify device parameters and firmware)
- **Availability:** High (Ability to crash the module or disrupt SCADA communications)
## Remediation
### Patches
- Siemens has released firmware updates for several affected models. Users are advised to upgrade to the latest firmware versions available via the Siemens Industry Online Support (SIOS) portal.
- **SICAM MIC:** Update to v2.40 or higher.
- **Other models:** Consult the specific vendor advisory for version-specific binary links.
### Workarounds
- **Disable the Web Server:** If the web-based management interface is not required for daily operations, it should be disabled via the configuration tool.
- **Restrict Access:** If the web server must remain active, use firewall rules or ACLs to restrict access to the web server port (typically TCP/80 or 443) only to trusted management workstations.
- **Network Segmentation:** Ensure RTUs are not exposed directly to the internet and are isolated within a secure ICS/SCADA DMZ.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual HTTP requests or access from unrecognized IP addresses. Look for administrative changes not corresponding to maintenance windows.
- **Detection methods and tools:** Use ICS-aware IDS/IPS signatures that flag unauthorized access attempts to Siemens management ports.
## References
- **Siemens Security Advisory:** hXXps://cert-portal.siemens[.]com/productcert/pdf/ssa-892715.pdf
- **ICS-CERT Advisory:** hXXps://www.cisa[.]gov/news-events/ics-advisories/icsa-17-318-01
- **Siemens SIOS:** hXXps://support.industry.siemens[.]com/cs/ww/en/view/109745163