CVE-2022-29878

Vulnerability

SICAM T devices in all versions prior to V3.0 (e.g., 7KG8500 variants) rely on a challenge-response authentication mechanism during unencrypted communication. The challenge space is limited, meaning the same challenge value can reappear after a relatively small number of requests [1][2]. This flaw allows an attacker to capture a valid challenge-response pair and use it later for replay.

Exploitation

An unauthenticated attacker with network access to the device can passively eavesdrop on the unencrypted challenge-response exchange between a legitimate user and the device. By capturing a valid pair and then repeatedly requesting the web interface (e.g., sending many login page requests), the attacker waits until the same challenge value reappears. When it does, the attacker replays the captured response to authenticate successfully [1]. No prior authentication or user interaction beyond the initial capture is required, and the attack can be automated.

Impact

Upon successful replay, the attacker gains unauthorized access to the management interface of the SICAM T device. Depending on the privileges of the original user whose credentials were captured, the attacker may be able to read sensitive configuration data, modify device settings, or disrupt operations. This can lead to full compromise of the device's configuration and control functions [2].

Mitigation

Siemens has released firmware version V3.00 for SICAM T (and SICAM P850/P855) which resolves this issue. Customers should update to V3.00 or later, available via Siemens support portal [1]. As a workaround, restrict network access to the device's web interface (port 443/tcp) to only trusted IP addresses and avoid accessing untrusted links while logged in [2].