Details of VAR-202310-0215

ID

VAR-202310-0215

CVE

CVE-2023-38640

TITLE

Siemens' sicam pas/pqs Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2023-014550

DESCRIPTION

A vulnerability has been identified in SICAM PAS/PQS (All versions >= V8.00 < V8.22). The affected application is installed with specific files and folders with insecure permissions. This could allow an authenticated local attacker to read and modify configuration data in the context of the application process. Siemens' sicam pas/pqs Contains a vulnerability in improper permission assignment for critical resources.Information may be obtained and information may be tampered with. Siemens SICAM PAS/PQS is a software from Germany's Siemens with operating systems for energy automation and power quality

Trust: 2.16

sources: NVD: CVE-2023-38640 // JVNDB: JVNDB-2023-014550 // CNVD: CNVD-2023-75594

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-75594

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam pas\/pqs	scope:	lt	version:	8.22	Trust: 1.0
vendor:	siemens	model:	sicam pas\/pqs	scope:	gte	version:	8.00	Trust: 1.0
vendor:	シーメンス	model:	sicam pas/pqs	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sicam pas/pqs	scope:	eq	version:	8.00 that's all 8.22	Trust: 0.8
vendor:	シーメンス	model:	sicam pas/pqs	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	sicam pas/pqs	scope:	gte	version:	v8.00,<v8.22	Trust: 0.6

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-38640
value:	MEDIUM
Trust: 1.0
productcert@siemens.com:	CVE-2023-38640
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-38640
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2023-75594
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2023-75594
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-38640
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	2.5
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2023-38640
baseSeverity:	MEDIUM
baseScore:	6.6
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	4.7
version:	3.1
Trust: 1.0
NVD:	CVE-2023-38640
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640 // NVD: CVE-2023-38640

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	Improper permission assignment for critical resources (CWE-732) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

PATCH

title:

Patch for Siemens SICAM PAS/PQS incorrect permission assignment vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/466621

Trust: 0.6

sources: CNVD: CNVD-2023-75594

EXTERNAL IDS

db:	NVD	id:	CVE-2023-38640	Trust: 3.2
db:	SIEMENS	id:	SSA-035466	Trust: 2.4
db:	ICS CERT	id:	ICSA-23-285-06	Trust: 0.8
db:	JVN	id:	JVNVU98753493	Trust: 0.8
db:	JVNDB	id:	JVNDB-2023-014550	Trust: 0.8
db:	CNVD	id:	CNVD-2023-75594	Trust: 0.6

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-035466.pdf	Trust: 1.8
url:	https://cert-portal.siemens.com/productcert/html/ssa-035466.html	Trust: 1.6
url:	https://jvn.jp/vu/jvnvu98753493/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-38640	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-06	Trust: 0.8

sources: CNVD: CNVD-2023-75594 // JVNDB: JVNDB-2023-014550 // NVD: CVE-2023-38640

SOURCES

db:	CNVD	id:	CNVD-2023-75594
db:	JVNDB	id:	JVNDB-2023-014550
db:	NVD	id:	CVE-2023-38640

LAST UPDATE DATE

2024-08-14T13:19:43.590000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-75594	date:	2023-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2023-014550	date:	2023-12-25T02:38:00
db:	NVD	id:	CVE-2023-38640	date:	2024-06-11T09:15:13.423

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-75594	date:	2023-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2023-014550	date:	2023-12-25T00:00:00
db:	NVD	id:	CVE-2023-38640	date:	2023-10-10T11:15:12.063