Details of VAR-202204-0109

ID

VAR-202204-0109

CVE

CVE-2022-27480

TITLE

Siemens SICAM A8000 CP-8050 and CP-8031 Unauthorized Access Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-28502

DESCRIPTION

A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files. The SICAM A8000 RTU (Remote Terminal Unit) series is used for automation applications in all areas of remote control and energy supply

Trust: 1.53

sources: NVD: CVE-2022-27480 // CNVD: CNVD-2022-28502 // VULMON: CVE-2022-27480

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-28502

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam a8000 cp-8031	scope:	lt	version:	4.80	Trust: 1.6
vendor:	siemens	model:	sicam a8000 cp-8050	scope:	lt	version:	4.80	Trust: 1.6

sources: CNVD: CNVD-2022-28502 // NVD: CVE-2022-27480

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-27480
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2022-28502
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202204-3129
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-27480
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-27480
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2022-28502
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-27480
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-28502 // VULMON: CVE-2022-27480 // CNNVD: CNNVD-202204-3129 // NVD: CVE-2022-27480

PROBLEMTYPE DATA

problemtype:	CWE-425	Trust: 1.0
problemtype:	CWE-862	Trust: 1.0

sources: NVD: CVE-2022-27480

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3129

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3129

PATCH

title:	Patch for Siemens SICAM A8000 CP-8050 and CP-8031 Unauthorized Access Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/329171	Trust: 0.6
title:	Siemens SICAM Fixes for access control error vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=190122	Trust: 0.6

sources: CNVD: CNVD-2022-28502 // CNNVD: CNNVD-202204-3129

EXTERNAL IDS

db:	SIEMENS	id:	SSA-316850	Trust: 2.3
db:	NVD	id:	CVE-2022-27480	Trust: 2.3
db:	PACKETSTORM	id:	166743	Trust: 1.7
db:	ICS CERT	id:	ICSA-22-104-10	Trust: 0.7
db:	CNVD	id:	CNVD-2022-28502	Trust: 0.6
db:	CXSECURITY	id:	WLB-2022040064	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3129	Trust: 0.6
db:	VULMON	id:	CVE-2022-27480	Trust: 0.1

sources: CNVD: CNVD-2022-28502 // VULMON: CVE-2022-27480 // CNNVD: CNNVD-202204-3129 // NVD: CVE-2022-27480

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-316850.pdf	Trust: 2.3
url:	http://packetstormsecurity.com/files/166743/siemens-a8000-cp-8050-cp-8031-sicam-web-missing-file-download-missing-authentication.html	Trust: 2.3
url:	http://seclists.org/fulldisclosure/2022/apr/20	Trust: 1.7
url:	https://cxsecurity.com/issue/wlb-2022040064	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-104-10	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-27480/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-10	Trust: 0.1

sources: CNVD: CNVD-2022-28502 // VULMON: CVE-2022-27480 // CNNVD: CNNVD-202204-3129 // NVD: CVE-2022-27480

CREDITS

Gerhard Hechenberger,Steffen Robertz, and Thomas Weber of SEC Consult Vulnerability Lab reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202204-3129

SOURCES

db:	CNVD	id:	CNVD-2022-28502
db:	VULMON	id:	CVE-2022-27480
db:	CNNVD	id:	CNNVD-202204-3129
db:	NVD	id:	CVE-2022-27480

LAST UPDATE DATE

2024-11-23T21:29:50.552000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-28502	date:	2022-04-13T00:00:00
db:	VULMON	id:	CVE-2022-27480	date:	2022-04-19T00:00:00
db:	CNNVD	id:	CNNVD-202204-3129	date:	2023-07-19T00:00:00
db:	NVD	id:	CVE-2022-27480	date:	2024-11-21T06:55:48.473

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-28502	date:	2022-04-13T00:00:00
db:	VULMON	id:	CVE-2022-27480	date:	2022-04-12T00:00:00
db:	CNNVD	id:	CNNVD-202204-3129	date:	2022-04-12T00:00:00
db:	NVD	id:	CVE-2022-27480	date:	2022-04-12T09:15:15.103