Siemens bug could have allowed unauthorised control over device

A recently patched vulnerability in Siemens energy automation systems could have allowed an attacker to gain unauthorised control of the device.

The Siemens SICAM MIC, a small telecontrol system that includes an integrated Web server among several other features and functions, contains an authentication bypass vulnerability that could allow an attacker to perform administrative operations under the right circumstances.

"Attackers with network access to the device's web interface (port 80/tcp) could possibly circumvent authentication and perform administrative operations. A legitimate user must be logged into the web interface for the attack to be successful," according to the advisory.

All versions prior to the Siemens V2404 firmware update are at risk. The update contains other security patches as well.

Researcher Philippe Oechslin of Objectif Sécurité discovered and disclosed the vulnerability to the company and an update correcting the flaw was released this Tuesday.