Details of VAR-202310-0216

ID

VAR-202310-0216

CVE

CVE-2023-45205

TITLE

Siemens' sicam pas/pqs Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2023-014548

DESCRIPTION

A vulnerability has been identified in SICAM PAS/PQS (All versions >= V8.00 < V8.20). The affected application is installed with specific files and folders with insecure permissions. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges to `NT AUTHORITY/SYSTEM`. Siemens' sicam pas/pqs Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SICAM PAS/PQS is a software from Germany's Siemens with operating systems for energy automation and power quality

Trust: 2.16

sources: NVD: CVE-2023-45205 // JVNDB: JVNDB-2023-014548 // CNVD: CNVD-2023-75593

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-75593

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam pas\/pqs	scope:	gte	version:	8.00	Trust: 1.0
vendor:	siemens	model:	sicam pas\/pqs	scope:	lt	version:	8.20	Trust: 1.0
vendor:	シーメンス	model:	sicam pas/pqs	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sicam pas/pqs	scope:	eq	version:	8.00 that's all 8.20	Trust: 0.8
vendor:	シーメンス	model:	sicam pas/pqs	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	sicam pas/pqs	scope:	gte	version:	v8.00,<v8.20	Trust: 0.6

sources: CNVD: CNVD-2023-75593 // JVNDB: JVNDB-2023-014548 // NVD: CVE-2023-45205

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com:	CVE-2023-45205
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2023-014548
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2023-75593
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-75593
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

productcert@siemens.com:	CVE-2023-45205
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2023-014548
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-75593 // JVNDB: JVNDB-2023-014548 // NVD: CVE-2023-45205

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	Improper permission assignment for critical resources (CWE-732) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-014548 // NVD: CVE-2023-45205

PATCH

title:

Patch for Siemens SICAM PAS/PQS incorrect permission allocation vulnerability (CNVD-2023-75593)

url:

https://www.cnvd.org.cn/patchInfo/show/466616

Trust: 0.6

sources: CNVD: CNVD-2023-75593

EXTERNAL IDS

db:	NVD	id:	CVE-2023-45205	Trust: 3.2
db:	SIEMENS	id:	SSA-035466	Trust: 2.4
db:	JVN	id:	JVNVU98753493	Trust: 0.8
db:	JVNDB	id:	JVNDB-2023-014548	Trust: 0.8
db:	CNVD	id:	CNVD-2023-75593	Trust: 0.6

sources: CNVD: CNVD-2023-75593 // JVNDB: JVNDB-2023-014548 // NVD: CVE-2023-45205

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-035466.pdf	Trust: 1.8
url:	https://cert-portal.siemens.com/productcert/html/ssa-035466.html	Trust: 1.6
url:	https://jvn.jp/vu/jvnvu98753493/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-45205	Trust: 0.8

sources: CNVD: CNVD-2023-75593 // JVNDB: JVNDB-2023-014548 // NVD: CVE-2023-45205

SOURCES

db:	CNVD	id:	CNVD-2023-75593
db:	JVNDB	id:	JVNDB-2023-014548
db:	NVD	id:	CVE-2023-45205

LAST UPDATE DATE

2024-08-14T13:19:47.671000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-75593	date:	2023-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2023-014548	date:	2023-12-25T02:38:00
db:	NVD	id:	CVE-2023-45205	date:	2024-06-11T09:15:16.577

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-75593	date:	2023-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2023-014548	date:	2023-12-25T00:00:00
db:	NVD	id:	CVE-2023-45205	date:	2023-10-10T11:15:13.163