別のブラウザを使用してください

お客様が使用しているブラウザは完全にサポートされていないため、このサイトの正しい表示とユーザビリティが制限されています。

Internet Explorer, Chrome Browser, Firefox Browser, Safari Browser

現在のブラウザで続ける

Advisory

Publication Date 2016-06-30 / Last Update2016-06-30 / Current VersionV1.0CVSSv3 Base Score 2.5

Affected Products
  • SICAM PAS: All versions < 8.07 (Vulnerability 1),
  • SICAM PAS: All versions (Vulnerability 2)

SICAM PAS is an energy automation solution for operating an electrical substation with its devices.

Detailed information about the vulnerabilities is provided below

The vulnerability classification has been performed by using the CVSS scoring system in version 3.0 (CVSSv3.0) (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

 

Vulnerability 1 (CVE-2016-5848)

An authenticated local attacker with certain privileges to the SICAM PAS database could possibly reconstruct passwords for SICAM PAS users.

  • CVSS Base Score 2.3
  • CVSS Vector
  • CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Vulnerability 2 (CVE-2016-5849)

An authenticated local attacker could possibly access sensitive configuration information

from the SICAM PAS database file if the database is in a stopped state.

  • CVSS Base Score 2.5
  • CVSS Vector
  • CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Mitigating Factors

The attacker must have local access to the SICAM PAS system and certain database

privileges or the database must be in a stopped state.

Siemens provides SICAM PAS 8.07 which fixes vulnerability 1 and recommends customers to update to this version [1].

Regarding vulnerability 2, Siemens is working to include an automated fix with a new SICAM PAS version and will update the advisory accordingly. In the meantime, Siemens provides detailed instructions on how to manually fix the vulnerability on existing installations of SICAM PAS via the Siemens Energy Customer Support Center [1].

Siemens thanks the following for their support and efforts:

  • Ilya Karpov from Positive Technologies for coordinated disclosure of vulnerability 1.
  • lya Karpov and Dmitry Sklyarov from Positive Technologies for coordinated disclosure of vulnerability 2.

[1] In order to receive the SICAM PAS V8.07 update and to receive detailed instructions on how to mitigate vulnerability 2, please contact the Siemens Energy Customer Support Center at:

support.energy@siemens.com

Alternatively, you can contact your regional Siemens representative.

 

[2] Recommended security guidelines to Secure Substation:

http://www.siemens.com/gridsecurity

(Select “Cyber Security General Downloads”  tab -> “Manuals”)

 

[3] For further inquiries on vulnerabilities in Siemens products and solutions, please

contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2016-06-30): Publication Date

DISCLAIMER

See: https://www.siemens.com/terms_of_use

https://www.industry.siemens.com/topics/global/en/industrial-security/Documents/operational_guidelines_industrial_security_en.pdf

Contact & Information

Get In Touch with Siemens ProductCERT

Feel free to contact us in any security-related question on the Siemens portfolio and particularly if you want to report a potential security issue. In the Services section you will find information on how we work and additional industry best practices.