Secure Element Vulnerability Exposes Password and Update Files to Physical Attack

CVE-2024-53832

4.6MEDIUM

Key Information

Vendor: Siemens
Status: Cpci85 Central Processing/communication
Vendor: CVE Published:; 10 December 2024

Summary

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files.

Affected Version(s)

CPCI85 Central Processing/Communication < 0

Refferences

https://cert-portal.siemens.com/productcert/html/ssa-1283...

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Nov 22, 2024

Collectors

NVD DatabaseMitre Database