German engineering company Siemens has addressed two information disclosure vulnerabilities that affect some of its automation software.
On Thursday, the company published a security advisory (PDF) about the two vulnerabilities:
“Two information disclosure vulnerabilities in SICAM PAS could allow authenticated local operating system users to obtain sensitive information under certain conditions.”
SICAM PAS is an energy automation solutions that assists in the operation of an electrical substation.
The first vulnerability (CVE-2016-5848) could allow an authenticated attacker to reconstruct passwords for SICAM PAS users. The flaw has received a CVSS Base Score of 2.3 and affects all versions of SICAM PAS that predate version 8.07.
The second vulnerability (CVE-2016-5849) could allow an attacker to gain access to sensitive configuration information from the automation software if the SICAM PAS database is in a stopped date. That bug has received a CVSS Base Score of 2.5, and it affects each and every version of SICAM PAS.
For an attacker to exploit either of those vulnerabilities, they must have local access and certain privileges to a SICAM PAS system, or the database must be in a stopped state.
Ilya Karpov from Positive Technologies is responsible for having spotted the first vulnerability. He also identified the second vulnerability with the help of Dmitry Sklyarov.
Siemens customers can protect themselves against the first vulnerability by upgrading to SICAM PAS version 8.07.
As of this writing, the German engineering company is still working on a fix to address the second information disclosure vulnerability. Customers are urged to contact the Siemens Energy Customer Support Center to learn how they can manually fix the flaw on existing installations of SICAM PAS in the meantime.
News of these vulnerabilities follow a few weeks after Siemens patched a denial-of-service (DOS) bug and a weakly protected credentials vulnerability affecting some of its SIMATIC controllers.