CVE-2022-29883

Vulnerability

A vulnerability exists in the web interface of SICAM T devices (all versions prior to V3.0) [2]. The affected devices do not restrict unauthenticated access to certain pages of the web interface, allowing an attacker to reach functionality that should require authentication [2]. This has been identified with a CVSS v3.1 base score of 9.9 [2].

Exploitation

An attacker with network access to the device can exploit this vulnerability without any authentication, user interaction, or special privileges [2]. By directly accessing unprotected pages of the web interface, the attacker can perform actions that should be restricted to authenticated users. The attack complexity is low [2].

Impact

Successful exploitation allows an attacker to delete log files on the device without authentication [2]. This could hinder forensic analysis after an attack. More broadly, this unauthenticated access to web interface functionality may lead to further impacts, including remote code execution, denial of service, and session hijacking (the full scope of vulnerabilities in this component) [2].

Mitigation

Siemens has released version V3.0 of SICAM T to address this vulnerability [2]. Users should update to V3.0 or later. As a workaround, restrict access to port 443/tcp (HTTPS) to trusted IP addresses only [2]. Additionally, do not access links from untrusted sources while logged into SICAM T [2].