Sign-up

ID

VAR-202407-0705


CVE

CVE-2024-37998


TITLE

Unauthenticated password reset vulnerability in multiple SICAM products

Trust: 0.6

sources: CNVD: CNVD-2024-33449

DESCRIPTION

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). The password of administrative accounts of the affected applications can be reset without requiring the knowledge of the current password, given the auto login is enabled. This could allow an unauthorized attacker to obtain administrative access of the affected applications. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the power supply sector. SICAM A8000 RTUs are modular devices for remote control and automation applications in all energy supply sectors. SICAM EGS is a gateway for local substations in distribution networks

Trust: 1.44

sources: NVD: CVE-2024-37998 // CNVD: CNVD-2024-33449

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-33449

AFFECTED PRODUCTS

vendor:siemensmodel:cpci85 central processing/communicationscope:ltversion:5.40

Trust: 0.6

vendor:siemensmodel:sicore base systemscope:ltversion:1.4.0

Trust: 0.6

sources: CNVD: CNVD-2024-33449

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com: CVE-2024-37998
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2024-33449
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-33449
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

productcert@siemens.com: CVE-2024-37998
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2024-33449 // NVD: CVE-2024-37998

PROBLEMTYPE DATA

problemtype:CWE-620

Trust: 1.0

sources: NVD: CVE-2024-37998

PATCH

title:Patch for Unauthenticated password reset vulnerability in multiple SICAM productsurl:https://www.cnvd.org.cn/patchInfo/show/573551

Trust: 0.6

sources: CNVD: CNVD-2024-33449

EXTERNAL IDS

db:SIEMENSid:SSA-071402

Trust: 1.6

db:NVDid:CVE-2024-37998

Trust: 1.6

db:CNVDid:CNVD-2024-33449

Trust: 0.6

sources: CNVD: CNVD-2024-33449 // NVD: CVE-2024-37998

REFERENCES

url:https://cert-portal.siemens.com/productcert/html/ssa-071402.html

Trust: 1.6

sources: CNVD: CNVD-2024-33449 // NVD: CVE-2024-37998

SOURCES

db:CNVDid:CNVD-2024-33449
db:NVDid:CVE-2024-37998

LAST UPDATE DATE

2024-08-14T14:42:34.139000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-33449date:2024-07-23T00:00:00
db:NVDid:CVE-2024-37998date:2024-07-24T12:55:13.223

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-33449date:2024-07-23T00:00:00
db:NVDid:CVE-2024-37998date:2024-07-22T14:15:05.453