ID

VAR-202310-0215


CVE

CVE-2023-38640


TITLE

Siemens'  sicam pas/pqs  Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2023-014550

DESCRIPTION

A vulnerability has been identified in SICAM PAS/PQS (All versions >= V8.00 < V8.22). The affected application is installed with specific files and folders with insecure permissions. This could allow an authenticated local attacker to read and modify configuration data in the context of the application process. Siemens' sicam pas/pqs Contains a vulnerability in improper permission assignment for critical resources.Information may be obtained and information may be tampered with. Siemens SICAM PAS/PQS is a software from Germany's Siemens with operating systems for energy automation and power quality

Trust: 2.16

sources: NVD: CVE-2023-38640 // JVNDB: JVNDB-2023-014550 // CNVD: CNVD-2023-75594

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-75594

AFFECTED PRODUCTS

vendor:siemensmodel:sicam pas\/pqsscope:ltversion:8.22

Trust: 1.0

vendor:siemensmodel:sicam pas\/pqsscope:gteversion:8.00

Trust: 1.0

vendor:シーメンスmodel:sicam pas/pqsscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:sicam pas/pqsscope:eqversion:8.00 that's all 8.22

Trust: 0.8

vendor:シーメンスmodel:sicam pas/pqsscope:eqversion: -

Trust: 0.8

vendor:siemensmodel:sicam pas/pqsscope:gteversion:v8.00,<v8.22

Trust: 0.6

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-38640
value: MEDIUM

Trust: 1.0

productcert@siemens.com: CVE-2023-38640
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-38640
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2023-75594
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2023-75594
severity: MEDIUM
baseScore: 6.1
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-38640
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 2.5
version: 3.1

Trust: 1.0

productcert@siemens.com: CVE-2023-38640
baseSeverity: MEDIUM
baseScore: 6.6
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: CVE-2023-38640
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640 // NVD: CVE-2023-38640

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.0

problemtype:Improper permission assignment for critical resources (CWE-732) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

PATCH

title:Patch for Siemens SICAM PAS/PQS incorrect permission assignment vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/466621

Trust: 0.6

sources: CNVD: CNVD-2023-75594

EXTERNAL IDS

db:NVDid:CVE-2023-38640

Trust: 3.2

db:SIEMENSid:SSA-035466

Trust: 2.4

db:ICS CERTid:ICSA-23-285-06

Trust: 0.8

db:JVNid:JVNVU98753493

Trust: 0.8

db:JVNDBid:JVNDB-2023-014550

Trust: 0.8

db:CNVDid:CNVD-2023-75594

Trust: 0.6

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-035466.pdf

Trust: 1.8

url:https://cert-portal.siemens.com/productcert/html/ssa-035466.html

Trust: 1.6

url:https://jvn.jp/vu/jvnvu98753493/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-38640

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-06

Trust: 0.8

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

SOURCES

db:CNVDid:CNVD-2023-75594
db:JVNDBid:JVNDB-2023-014550
db:NVDid:CVE-2023-38640

LAST UPDATE DATE

2024-08-14T13:19:43.590000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-75594date:2023-10-11T00:00:00
db:JVNDBid:JVNDB-2023-014550date:2023-12-25T02:38:00
db:NVDid:CVE-2023-38640date:2024-06-11T09:15:13.423

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-75594date:2023-10-12T00:00:00
db:JVNDBid:JVNDB-2023-014550date:2023-12-25T00:00:00
db:NVDid:CVE-2023-38640date:2023-10-10T11:15:12.063