Full Report
Spectrum Power 7 before V24Q3 contains several root-owned SUID binaries that could allow an authenticated local attacker to escalate privileges. Siemens has released a new version for Spectrum Power 7 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Local Privilege Escalation in Siemens Spectrum Power 7
## CVE Details
- **CVE ID:** CVE-2024-29119
- **CVSS Score:**
- **CVSS v4.0:** 8.5 (High)
- **CVSS v3.1:** 7.8 (High)
- **CWE:** CWE-266: Incorrect Privilege Assignment
## Affected Systems
- **Products:** Spectrum Power 7 (SCADA and Energy Management platform)
- **Versions:** All versions prior to V24Q3
- **Configurations:** Systems where root-owned SUID (Set User ID) binaries are present in the installation directory.
## Vulnerability Description
The vulnerability stems from the presence of several SUID binaries owned by the root user within the Spectrum Power 7 software suite. These binaries do not properly restrict or validate execution, allowing a standard user with local authenticated access to execute them and perform actions with elevated (root) privileges. This "Incorrect Privilege Assignment" allows for a complete takeover of the local operating system environment.
## Exploitation
- **Status:** No reports of exploitation in the wild at this time; no public PoC currently listed in the advisory.
- **Complexity:** Low (Standard exploitation of SUID misconfigurations).
- **Attack Vector:** Local (Requires prior authenticated access to the system).
## Impact
- **Confidentiality:** High (Attacker can read any file on the system).
- **Integrity:** High (Attacker can modify any file or system configuration).
- **Availability:** High (Attacker can shut down services or delete critical system data).
## Remediation
### Patches
Siemens recommends updating to the following version:
- **Spectrum Power 7 V24Q3** or later versions.
### Workarounds
No specific software workarounds are provided in the advisory besides upgrading. Siemens recommends general security best practices:
- Protect network access with firewalls, segmentation, and VPNs.
- Ensure only authorized personnel have local access to the system hosting Spectrum Power 7.
- Implement multi-level redundant secondary protection schemes in grid designs to maintain resilience in case of a cyber incident.
## Detection
- **Indicators of Compromise:** Unusual activity from low-privileged service accounts; presence of unexpected shells or processes running with root privileges spawned from Spectrum Power 7 directories.
- **Detection Methods:**
- Audit SUID binaries on the system: `find / -perm -4000 -type f` to identify root-owned SUID files.
- Monitor system logs (e.g., `secure` or `auth.log`) for execution of SUID binaries by unauthorized users.
## References
- **Siemens Security Advisory (SSA-616032):** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-616032[.]pdf
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories