Network Configuration Flaw in Siemens CP-8031 and CP-8050 Modules
CVE-2023-42797

7.2HIGH

Key Information:

Vendor: Siemens
Status: CP-8031 MASTER MODULE; CP-8050 MASTER MODULE
Vendor: CVE Published:; 9 January 2024

Summary

A vulnerability exists in the network configuration service of the Siemens CP-8031 MASTER MODULE and CP-8050 MASTER MODULE, particularly affecting all versions prior to CPCI85 V05.20. This flaw pertains to the improper handling of IPv4 address conversions, which can result in an uninitialized variable being used during validation checks. An attacker with authenticated access can exploit this vulnerability by uploading a specially crafted network configuration, facilitating the injection of commands to execute with root-level privileges when the device starts up. This presents significant security risks for affected devices within networked environments.

Affected Version(s)

CP-8031 MASTER MODULE All versions < CPCI85 V05.20

CP-8050 MASTER MODULE All versions < CPCI85 V05.20

References

https://cert-portal.siemens.com/productcert/pdf/ssa-58363...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2024
Vulnerability Reserved
Sep 14, 2023