Full Report
SICAM AK3/TM/BC devices are affected by a buffer overflow vulnerability that could allow an attacker to execute code in the context of the current process or lead to a denial of service condition. SICAM AK3 device firmware CPCX26 for CP-2016 PCCX26 for CP-2019 SICAM AK3, SICAM BC and SICAM TM device firmware ETA4 and ETA5 for SM-2558 Siemens has released new firmware versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Buffer Overflow in SICAM AK3/BC/TM Due to Improper Null Termination
## CVE Details
- CVE ID: CVE-2024-31484
- CVSS Score: 7.8 (CVSS v3.1) / 7.3 (CVSS v4.0) (High)
- CWE: CWE-170: Improper Null Termination
## Affected Systems
- Products: SICAM AK3, SICAM BC, SICAM TM devices.
- Versions:
- SICAM AK3/CP-2016 (Firmware CPCX26): All versions < V06.02
- SICAM AK3/CP-2019 (Firmware PCCX26): All versions < V06.05
- SICAM AK3/SM-2558 (Firmware ETA4): All versions < V10.46
- SICAM TM/SM-2558 (Firmware ETA5): All versions < V03.27
- Configurations: Specific firmware versions on the listed hardware platforms.
## Vulnerability Description
The vulnerability lies in the devices' handling of a specific HTTP header. An improper null termination flaw during the parsing of this header can be triggered by a remote or local attacker. Successful exploitation can lead to arbitrary code execution within the context of the current process or result in a complete denial of service (DoS) condition.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC potential exists given the nature of the flaw. The CVSS vector suggests user interaction is required (UI:R/UI:P).
- Complexity: Medium (based on CVSS v3.1 AC:L - Low Attack Complexity, but CVSS v4.0 suggests High Attack Complexity AC:H).
- Attack Vector: Local (AV:L) is specified in v3.1, but the nature of HTTP header parsing often implies network access is possible if the service is exposed.
## Impact
- Confidentiality: High (Potential for RCE leading to information disclosure)
- Integrity: High (Potential for RCE leading to unauthorized modification)
- Availability: High (Potential for Denial of Service)
## Remediation
### Patches
The following firmware updates resolve CVE-2024-31484:
- CPCX26: Update to V06.02 or later (Found in SICAM RTUs AK3 Package V06.02).
- PCCX26: Update to V06.05 or later (Found in SICAM RTUs AK3 Package V06.02).
- ETA4: Update to V10.46 or later (Found in SICAM RTUs AK3 Package V06.02).
- ETA5: Update to V03.27 or later (Found in SICAM RTUs AK3 Package V06.02).
### Workarounds
Siemens recommends following their General Security Recommendations, which include protecting network access to devices via appropriate mechanisms, and configuring the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Indicators of compromise: Not explicitly listed, but abnormal process crashes or unauthorized code execution related to HTTP services on the affected devices should be investigated.
- Detection methods and tools: Monitor network traffic for malformed HTTP requests directed at the vulnerable devices. Utilize network monitoring and IDS/IPS configured to inspect HTTP header content if network access is present.
## References
- Vendor advisories: SSA-620338
- Relevant links - defanged:
- Siemens Security Advisory Portal: cert-portal.siemens.com/productcert/html/ssa-620338.html
- Firmware Download Link (Included in patch notes): support.industry.siemens.com/cs/ww/en/view/109813252/
- General Security Guidelines: siemens.com/cert/operational-guidelines-industrial-security
- Siemens Industrial Security Home: siemens.com/industrialsecurity