CVE-2023-42796
📋 TL;DR
This vulnerability allows authenticated remote attackers to perform directory traversal attacks on Siemens CP-8031 and CP-8050 MASTER MODULE devices via the /sicweb-ajax/tmproot/ endpoint. Attackers can download arbitrary files and potentially escalate privileges to administrator by exploring session IDs. Only devices running versions before CPCI85 V05.11 are affected.
💻 Affected Systems
- Siemens CP-8031 MASTER MODULE
- Siemens CP-8050 MASTER MODULE
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrator privileges, allowing complete control over affected industrial control systems, data theft, and potential disruption of critical operations.
Likely Case
Unauthorized file access leading to credential theft, configuration exposure, and potential privilege escalation to administrator role.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect traversal attempts.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit once authenticated. The privilege escalation aspect requires additional session ID exploration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CPCI85 V05.11
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-770890.pdf
Restart Required: Yes
Instructions:
1. Download CPCI85 V05.11 firmware from Siemens support portal. 2. Backup current configuration. 3. Apply firmware update following Siemens documentation. 4. Restart device. 5. Verify version update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks and restrict access to authorized IP addresses only.
Access Control
allImplement strong authentication mechanisms and limit user privileges to minimum required.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only
- Monitor for unusual file access patterns and directory traversal attempts in web server logs
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. If version is below CPCI85 V05.11, device is vulnerable.Check Version:
Check via web interface System Information page or device-specific CLI commandsVerify Fix Applied:
Verify firmware version shows CPCI85 V05.11 or higher after update.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing directory traversal sequences (../) to /sicweb-ajax/tmproot/
- Multiple failed authentication attempts followed by successful login and file access
Network Indicators:
- Unusual file download patterns from industrial control system web interfaces
- Traffic to /sicweb-ajax/tmproot/ with path traversal payloads
SIEM Query:
source="web_server" AND (uri="/sicweb-ajax/tmproot/*" AND (uri="*../*" OR uri="*..\\*"))