As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 5.1
- ATTENTION: Low attack complexity
- Vendor: Siemens
- Equipment: SENTRON 7KM PAC3120, SENTRON 7KM PAC3220
- Vulnerability: Improper Access Control
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attacker to read out the data from the internal flash of affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens SENTRON 7KM PAC3120 and PAC3220, power measuring devices, are affected:
- SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and LQN231215… (with LQNYYMMDD…)
- SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and
LQN231215… (with LQNYYMMDD…) - SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and LQN231215… (with LQNYYMMDD…)
- SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and
LQN231215… (with LQNYYMMDD…)
3.2 Vulnerability Overview
3.2.1 IMPROPER ACCESS CONTROL CWE-284
The read out protection of the internal flash of affected devices was not properly set at the end of the
manufacturing process. An attacker with physical access to the device could read out the data.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: