Full Report
The web server of SICAM P850 and SICAM P855 devices, versions before V3.11, contains a Cross Site Request Forgery (CSRF) vulnerability and is missing cookie protection flags. This could allow an attacker to perform arbitrary actions on the device on behalf of a legitimate user, or impersonate that user. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SICAM P850 and P855 Web Server
## CVE Details
- **CVE ID:** CVE-2023-30901, CVE-2023-31238
- **CVSS Score:** 5.5 (Medium) - *Highest aggregate score*
- **CWE:**
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-732: Incorrect Permission Assignment for Critical Resource (Missing Cookie Flags)
## Affected Systems
- **Products:**
- SICAM P850 family (Multiple model variants including 7KG8500 and 7KG8501)
- SICAM P855 family
- **Versions:** All versions prior to V3.11
- **Configurations:** Devices running the integrated web server under default settings.
## Vulnerability Description
The web server of the affected power monitoring devices contains two primary security flaws:
1. **CSRF (CVE-2023-30901):** The web interface fails to properly validate requests. An attacker can trick an authenticated user into clicking a malicious link, leading to the execution of unauthorized actions with the victim's privileges.
2. **Insecure Cookie Handling (CVE-2023-31238):** The application does not implement necessary security flags for session cookies. This lack of protection increases the risk of session hijacking, allowing an attacker to capture session tokens and impersonate legitimate users.
## Exploitation
- **Status:** Not reported as exploited in the wild; no public PoC provided in the advisory.
- **Complexity:** Low (CVE-2023-30901) to High (CVE-2023-31238).
- **Attack Vector:** Network (Remote). Both vulnerabilities require user interaction (UI:R).
## Impact
- **Confidentiality:** Low (Potential session token theft).
- **Integrity:** Low (Unauthorized actions on behalf of a user).
- **Availability:** Low (Potential for unauthorized configuration changes).
## Remediation
### Patches
Siemens recommends updating affected devices to the following versions:
- **SICAM P850/P855:** Update to **V3.11** or later.
- Firmware download link: hxxps[:]//support[.]industry[.]siemens[.]com/cs/ww/en/view/109743594/
### Workarounds
In lieu of immediate patching, Siemens suggests:
- Adhere to the Siemens Grid Security guidelines: hxxps[:]//www[.]siemens[.]com/gridsecurity
- Ensure devices are operated within protected IT/OT environments.
- Restrict access to the web interface to authorized administrative networks only.
## Detection
- **Indicators of Compromise:** Unusual configuration changes or administrative actions originated from unexpected source IP addresses (indicative of CSRF).
- **Detection methods:** Audit web server access logs for requests originating from external referrers or unexpected cross-site navigation patterns.
## References
- **Siemens Security Advisory (SSA-201498):** hxxps[:]//cert-portal[.]siemens[.]com/productcert/pdf/ssa-201498[.]pdf
- **Siemens ProductCERT:** hxxps[:]//www[.]siemens[.]com/cert/advisories