Full Report
Spectrum Power 7 is affected by a vulnerability that could allow an authenticated local attacker to inject arbitrary code and gain root access. Siemens has released an update for Spectrum Power 7 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Local Privilege Escalation in Siemens Spectrum Power 7
## CVE Details
- **CVE ID:** CVE-2023-44120
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-732: Incorrect Permission Assignment for Critical Resource
## Affected Systems
- **Products:** Spectrum Power 7 (SCADA and Energy Management platform)
- **Versions:** All versions prior to V23Q4
- **Configurations:** Systems where the local administrative account is configured with specific sudo permissions.
## Vulnerability Description
The vulnerability exists within the `sudo` configuration of the affected product. The configuration permits a local administrative account to execute specific entries with root-level privileges. Due to incorrect permission assignments or inadequate restrictions on these entries, an authenticated local attacker can leverage this access to inject arbitrary code. This results in an escalation of privileges from a standard administrative user to the `root` user.
## Exploitation
- **Status:** PoC available (indicated by CVSS exploitability subscore `E:P`)
- **Complexity:** Low
- **Attack Vector:** Local (Attacker must have local shell access to the host)
## Impact
- **Confidentiality:** High (Full access to system files and data)
- **Integrity:** High (Ability to modify system binaries and configurations)
- **Availability:** High (Potential for complete system takeover or shutdown)
## Remediation
### Patches
Siemens recommends updating affected installations to the latest available version:
- **Spectrum Power 7:** Update to version **V23Q4** or later.
### Workarounds
No specific hardware/software workarounds were provided in the advisory. Siemens emphasizes following general security recommendations:
- Ensure multi-level redundant secondary protection schemes are in place.
- Validate all security updates in a test environment before production deployment.
## Detection
- **Indicators of Compromise:** Unusual `sudo` execution logs by administrative accounts; presence of unauthorized scripts or binaries in system directories; modifications to the `/etc/sudoers` file or `/etc/sudoers.d/` directory.
- **Detection methods and tools:** Audit system logs (e.g., `auth.log` or `journalctl`) for unexpected root-level commands executed via sudo. Use File Integrity Monitoring (FIM) to track changes to critical system configurations.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-786191[.]pdf
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories
- **MITRE CVE:** hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2023-44120