Details of VAR-202401-0199

ID

VAR-202401-0199

CVE

CVE-2023-44120

TITLE

Siemens Spectrum Power 7 critical resource permission allocation error vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-01394

DESCRIPTION

A vulnerability has been identified in Spectrum Power 7 (All versions < V23Q4). The affected product's sudo configuration permits the local administrative account to execute several entries as root user. This could allow an authenticated local attacker to inject arbitrary code and gain root access. Spectrum Power 7 provides the basic components of SCADA, communication and data modeling for control and monitoring systems. Application suites can be added to optimize network and power generation management in all energy management areas

Trust: 1.44

sources: NVD: CVE-2023-44120 // CNVD: CNVD-2024-01394

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-01394

AFFECTED PRODUCTS

vendor:	siemens	model:	spectrum power 7	scope:	lt	version:	23q4	Trust: 1.0
vendor:	siemens	model:	spectrum power <23q4	scope:	eq	version:	7	Trust: 0.6

sources: CNVD: CNVD-2024-01394 // NVD: CVE-2023-44120

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com:	CVE-2023-44120
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2024-01394
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-01394
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

productcert@siemens.com:	CVE-2023-44120
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-01394 // NVD: CVE-2023-44120

PROBLEMTYPE DATA

problemtype:

CWE-732

Trust: 1.0

sources: NVD: CVE-2023-44120

PATCH

title:

Patch for Siemens Spectrum Power 7 critical resource permission allocation error vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/514136

Trust: 0.6

sources: CNVD: CNVD-2024-01394

EXTERNAL IDS

db:	SIEMENS	id:	SSA-786191	Trust: 1.6
db:	NVD	id:	CVE-2023-44120	Trust: 1.6
db:	CNVD	id:	CNVD-2024-01394	Trust: 0.6

sources: CNVD: CNVD-2024-01394 // NVD: CVE-2023-44120

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-786191.pdf	Trust: 1.0
url:	https://cert-portal.siemens.com/productcert/html/ssa-786191.html	Trust: 0.6

sources: CNVD: CNVD-2024-01394 // NVD: CVE-2023-44120

SOURCES

db:	CNVD	id:	CNVD-2024-01394
db:	NVD	id:	CVE-2023-44120

LAST UPDATE DATE

2025-03-14T22:53:25.206000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-01394	date:	2024-01-10T00:00:00
db:	NVD	id:	CVE-2023-44120	date:	2024-01-16T15:36:11.773

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-01394	date:	2024-01-10T00:00:00
db:	NVD	id:	CVE-2023-44120	date:	2024-01-09T10:15:15.613