Details of VAR-202401-0853

ID

VAR-202401-0853

CVE

CVE-2023-42797

TITLE

Siemens CPCI85 Firmware of SICAM A8000 Devices Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-01410

DESCRIPTION

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05.20), CP-8050 MASTER MODULE (All versions < CPCI85 V05.20). The network configuration service of affected devices contains a flaw in the conversion of ipv4 addresses that could lead to an uninitialized variable being used in succeeding validation steps. By uploading specially crafted network configuration, an authenticated remote attacker could be able to inject commands that are executed on the device with root privileges during device startup. The SICAM A8000 rtu (remote terminal unit) series is a modular device family for telecontrol and automation applications in all energy supply sectors

Trust: 1.44

sources: NVD: CVE-2023-42797 // CNVD: CNVD-2024-01410

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-01410

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam a8000 cp-8031	scope:	lt	version:	05.20	Trust: 1.0
vendor:	siemens	model:	sicam a8000 cp-8050	scope:	lt	version:	05.20	Trust: 1.0
vendor:	siemens	model:	cp-8031 master module <cpci85	scope:	eq	version:	v05.20	Trust: 0.6
vendor:	siemens	model:	cp-8050 master module <cpci85	scope:	eq	version:	v05.20	Trust: 0.6

sources: CNVD: CNVD-2024-01410 // NVD: CVE-2023-42797

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-42797
value:	HIGH
Trust: 1.0
productcert@siemens.com:	CVE-2023-42797
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-01410
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-01410
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:H/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-42797
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2023-42797
baseSeverity:	MEDIUM
baseScore:	6.6
vectorString:	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.7
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-01410 // NVD: CVE-2023-42797 // NVD: CVE-2023-42797

PROBLEMTYPE DATA

problemtype:

CWE-908

Trust: 1.0

sources: NVD: CVE-2023-42797

PATCH

title:

Patch for Siemens CPCI85 Firmware of SICAM A8000 Devices Command Injection Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/514056

Trust: 0.6

sources: CNVD: CNVD-2024-01410

EXTERNAL IDS

db:	NVD	id:	CVE-2023-42797	Trust: 1.6
db:	SIEMENS	id:	SSA-583634	Trust: 1.6
db:	CNVD	id:	CNVD-2024-01410	Trust: 0.6

sources: CNVD: CNVD-2024-01410 // NVD: CVE-2023-42797

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-583634.pdf	Trust: 1.0
url:	https://cert-portal.siemens.com/productcert/html/ssa-583634.html	Trust: 0.6

sources: CNVD: CNVD-2024-01410 // NVD: CVE-2023-42797

SOURCES

db:	CNVD	id:	CNVD-2024-01410
db:	NVD	id:	CVE-2023-42797

LAST UPDATE DATE

2025-03-15T23:13:18.262000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-01410	date:	2024-01-10T00:00:00
db:	NVD	id:	CVE-2023-42797	date:	2024-01-16T15:29:43.977

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-01410	date:	2024-01-10T00:00:00
db:	NVD	id:	CVE-2023-42797	date:	2024-01-09T10:15:15.320