Incident Response, Network Security, TDR, Vulnerability Management

Siemens energy automation bug could have allowed unauthorized control over device

A vulnerability in Siemens energy automation systems could have allowed an attacker to gain unauthorized control of the device. An update patching the flaw was issued.

The Siemens SICAM MIC, a small telecontrol system that includes an integrated web server among several other features and functions, contains an authentication bypass vulnerability that could allow an attacker to perform administrative operations under the right circumstances.

"Attackers with network access to the device's web interface (port 80/tcp) could possibly circumvent authentication and perform administrative operations. A legitimate user must be logged into the web interface for the attack to be successful," according to the advisory.

All versions prior to the Siemens V2404 firmware update are at risk. The update contains other security patches as well.

Researcher Philippe Oechslin of Objectif Sécurité discovered and disclosed the vulnerability to the company and an update correcting the flaw was released this Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.