Vulnerabilities > CVE-2022-29878 - Authentication Bypass by Capture-replay vulnerability in Siemens products

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

siemens

CWE-294

NVD

Published: 2022-05-20

Updated: 2022-06-02

Summary

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices use a limited range for challenges that are sent during the unencrypted challenge-response communication. An unauthenticated attacker could capture a valid challenge-response pair generated by a legitimate user, and request the webpage repeatedly to wait for the same challenge to reappear for which the correct response is known. This could allow the attacker to access the management interface of the device.

Vulnerable Configurations

Part	Description	Count
OS	Siemens Siemens 7Kg8500 0Aa00 0Aa0 Firmware - Siemens 7Kg8500 0Aa00 2Aa0 Firmware - Siemens 7Kg8500 0Aa10 0Aa0 Firmware - Siemens 7Kg8500 0Aa10 2Aa0 Firmware - Siemens 7Kg8500 0Aa30 0Aa0 Firmware - Siemens 7Kg8500 0Aa30 2Aa0 Firmware - Siemens 7Kg8501 0Aa01 0Aa0 Firmware - Siemens 7Kg8501 0Aa01 2Aa0 Firmware - Siemens 7Kg8501 0Aa02 0Aa0 Firmware - Siemens 7Kg8501 0Aa02 2Aa0 Firmware - Siemens 7Kg8501 0Aa11 0Aa0 Firmware - Siemens 7Kg8501 0Aa11 2Aa0 Firmware - Siemens 7Kg8501 0Aa12 0Aa0 Firmware - Siemens 7Kg8501 0Aa12 2Aa0 Firmware - Siemens 7Kg8501 0Aa31 0Aa0 Firmware - Siemens 7Kg8501 0Aa31 2Aa0 Firmware - Siemens 7Kg8501 0Aa32 0Aa0 Firmware - Siemens 7Kg8501 0Aa32 2Aa0 Firmware - Siemens 7Kg8550 0Aa00 0Aa0 Firmware - Siemens 7Kg8550 0Aa00 2Aa0 Firmware - Siemens 7Kg8550 0Aa10 0Aa0 Firmware - Siemens 7Kg8550 0Aa10 2Aa0 Firmware - Siemens 7Kg8550 0Aa30 0Aa0 Firmware - Siemens 7Kg8550 0Aa30 2Aa0 Firmware - Siemens 7Kg8551 0Aa01 0Aa0 Firmware - Siemens 7Kg8551 0Aa01 2Aa0 Firmware - Siemens 7Kg8551 0Aa02 0Aa0 Firmware - Siemens 7Kg8551 0Aa02 2Aa0 Firmware - Siemens 7Kg8551 0Aa11 0Aa0 Firmware - Siemens 7Kg8551 0Aa11 2Aa0 Firmware - Siemens 7Kg8551 0Aa12 0Aa0 Firmware - Siemens 7Kg8551 0Aa12 2Aa0 Firmware - Siemens 7Kg8551 0Aa31 0Aa0 Firmware - Siemens 7Kg8551 0Aa31 2Aa0 Firmware - Siemens 7Kg8551 0Aa32 0Aa0 Firmware - Siemens 7Kg8551 0Aa32 2Aa0 Firmware -	36
Hardware	Siemens Siemens 7Kg8500 0Aa00 0Aa0 - Siemens 7Kg8500 0Aa00 2Aa0 - Siemens 7Kg8500 0Aa10 0Aa0 - Siemens 7Kg8500 0Aa10 2Aa0 - Siemens 7Kg8500 0Aa30 0Aa0 - Siemens 7Kg8500 0Aa30 2Aa0 - Siemens 7Kg8501 0Aa01 0Aa0 - Siemens 7Kg8501 0Aa01 2Aa0 - Siemens 7Kg8501 0Aa02 0Aa0 - Siemens 7Kg8501 0Aa02 2Aa0 - Siemens 7Kg8501 0Aa11 0Aa0 - Siemens 7Kg8501 0Aa11 2Aa0 - Siemens 7Kg8501 0Aa12 0Aa0 - Siemens 7Kg8501 0Aa12 2Aa0 - Siemens 7Kg8501 0Aa31 0Aa0 - Siemens 7Kg8501 0Aa31 2Aa0 - Siemens 7Kg8501 0Aa32 0Aa0 - Siemens 7Kg8501 0Aa32 2Aa0 - Siemens 7Kg8550 0Aa00 0Aa0 - Siemens 7Kg8550 0Aa00 2Aa0 - Siemens 7Kg8550 0Aa10 0Aa0 - Siemens 7Kg8550 0Aa10 2Aa0 - Siemens 7Kg8550 0Aa30 0Aa0 - Siemens 7Kg8550 0Aa30 2Aa0 - Siemens 7Kg8551 0Aa01 0Aa0 - Siemens 7Kg8551 0Aa01 2Aa0 - Siemens 7Kg8551 0Aa02 0Aa0 - Siemens 7Kg8551 0Aa02 2Aa0 - Siemens 7Kg8551 0Aa11 0Aa0 - Siemens 7Kg8551 0Aa11 2Aa0 - Siemens 7Kg8551 0Aa12 0Aa0 - Siemens 7Kg8551 0Aa12 2Aa0 - Siemens 7Kg8551 0Aa31 0Aa0 - Siemens 7Kg8551 0Aa31 2Aa0 - Siemens 7Kg8551 0Aa32 0Aa0 - Siemens 7Kg8551 0Aa32 2Aa0 -	36

Common Weakness Enumeration (CWE)

CWE-294 - Authentication Bypass by Capture-replay

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Man in the Middle Attack
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-165073.pdf