Lucene search

HistoryFeb 07, 2022 - 12:00 a.m.

Siemens IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC Improper Access Control (CVE-2018-4858)

2022-02-0700:00:00

www.tenable.com

siemens

iec 61850

digsi

sicam

improper access control

cve-2018-4858

vulnerability

network interfaces

exfiltration

code execution

windows user permissions

confidentiality

integrity

mitigations

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

58.3%

JSON

A vulnerability has been identified in IEC 61850 system configurator (All versions < V5.80), DIGSI 5 (affected as IEC 61850 system configurator is incorporated) (All versions < V7.80), DIGSI 4 (All versions < V4.93), SICAM PAS/PQS (All versions < V8.11), SICAM PQ Analyzer (All versions < V3.11), SICAM SCC (All versions < V9.02 HF3). A service of the affected products listening on all of the host’s network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user permissions. Successful exploitation requires an attacker to be able to send a specially crafted network request to the vulnerable service and a user interacting with the service’s client application on the host. In order to execute arbitrary code with Microsoft Windows user permissions, an attacker must be able to plant the code in advance on the host by other means. The vulnerability has limited impact to confidentiality and integrity of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500286);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2018-4858");
  script_xref(name:"ICSA", value:"18-317-01");

  script_name(english:"Siemens IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC Improper Access Control (CVE-2018-4858)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in IEC 61850 system configurator (All versions < V5.80), DIGSI 5 (affected as IEC
61850 system configurator is incorporated) (All versions < V7.80), DIGSI 4 (All versions < V4.93), SICAM PAS/PQS (All
versions < V8.11), SICAM PQ Analyzer (All versions < V3.11), SICAM SCC (All versions < V9.02 HF3). A service of the
affected products listening on all of the host's network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP
could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user
permissions. Successful exploitation requires an attacker to be able to send a specially crafted network request to the
vulnerable service and a user interacting with the service's client application on the host. In order to execute
arbitrary code with Microsoft Windows user permissions, an attacker must be able to plant the code in advance on the
host by other means. The vulnerability has limited impact to confidentiality and integrity of the affected system. At
the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the
security vulnerability and provides mitigations to resolve the security issue.  

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-317-01");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/105933");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has released updates for the affected products and recommends users update to the newest version.

- IEC 61850 system configurator update to v5.80 available at:

https://support.industry.siemens.com/cs/ww/en/view/109740546

- DIGSI 5 (affected as IEC 61850 system configurator is incorporated) â Uninstall IEC 61850 system configurator or
update to v7.80 available at:

https://support.industry.siemens.com/cs/ww/en/view/109758531

- DIGIS 4 update to v4.93 available at:

https://support.industry.siemens.com/cs/ww/en/view/109740980

- SICAM PAS/PQS update to v8.11 available at:

https://support.industry.siemens.com/cs/us/en/view/109757831

- SICAM PQ Analyzer update to v3.11available at:

https://support.industry.siemens.com/cs/us/en/view/109757833

- SICAM SCC update to v9.02 HF3 available at:

https://support.industry.siemens.com/cs/ww/en/view/109745469

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Change firewall configuration to restrict access to Ports 4884/TCP, 5885/TCP or 5886/TCP to localhost (depending on
the affected product in use).
- Follow secure substations security guidelines available at:

https://www.siemens.com/gridsecurity

For additional information see Siemensâ security advisory SSA-159860 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4858");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:sicam_pas%2fpqs_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:sicam_pq_analyzer_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:sicam_scc_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:digsi_4_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:digsi_5_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:sicam_pas%2fpqs_firmware" :
        {"versionEndExcluding" : "8.11", "family" : "Sicam"},
    "cpe:/o:siemens:sicam_pq_analyzer_firmware" :
        {"versionEndExcluding" : "3.11", "family" : "Sicam"},
    "cpe:/o:siemens:sicam_scc_firmware:-" :
        {"family" : "Sicam"},
    "cpe:/o:siemens:digsi_4_firmware:-" :
        {"versionEndExcluding" : "4.93", "family" : "Siprotec4"},
    "cpe:/o:siemens:digsi_5_firmware" :
        {"versionEndExcluding" : "7.80", "family" : "Siprotec5"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4858

www.securityfocus.com/bid/105933

cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

ics-cert.us-cert.gov/advisories/ICSA-18-317-01

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

58.3%

JSON

Related for TENABLE_OT_SIEMENS_CVE-2018-4858.NASL