Two flaws in Siemens SICAM PAS impact the energy industry

Researchers discovered two flaws in the Siemens SICAM PAS widely used in the energy industry. One of the vulnerabilities is still unpatched.

Security experts from Positive Technologies that have reviewed the Siemens SICAM PAS (Power Automation System) solution have discovered two information disclosure vulnerabilities (CVE-2016-5848 and CVE-2016-5849) that can be exploited by a local attacker.

The experts reported the issued to the company that promptly fixed one of them and is currently working on the other one.

What is the Siemens SICAM PAS?

Siemens SICAM PAS is a solution widely adopted in the energy industry to operate electrical substations. The Siemens SICAM PAS is an open system that features user interfaces for the integration of system-specific tasks and offers multiple automation options.

It runs on Windows systems and its points of strength are the flexibility, scalability and the simplicity for its adoption.

The ICS-CERT issued a security advisory on the security issues that plague the solution.

According to the ICS-CERT, the Siemens SICAM PAS versions older than Version 8.07 are affected by the issues.

“An authenticated local user utilizing these vulnerabilities could obtain sensitive information under certain conditions.” states the advisory. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

The software running on the Siemens SICAM PAS doesn’t properly protect user passwords, an attacker can exploit the flaws to reconstruct the information (CVE-2016-5848).

“An authenticated local attacker with certain privileges to the SICAM PAS database could possibly reconstruct passwords.” states the advisory.

The second vulnerability can be exploited by attackers to access sensitive configuration data (CVE-2016-5849) for the database file used in the SICAM PAS.

“An authenticated local attacker could possibly access sensitive configuration information from the SICAM PAS database file if the database is in a stopped state.” .

Siemens is currently working on addressing CVE-2016-5849 and invites customers to contact the support center for instructions on how to mitigate the issue waiting for an official patch.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Energy Industry, Siemens SICAM PAS)