Siemens has identified a critical vulnerability in Siveillance Control versions V2.8 and later up to V3.1.1, manifesting as an Incorrect Authorization flaw with a high CVSS v4 score of 6.8. This vulnerability could lead to a local attacker gaining unauthorized write privileges for objects beyond their authorized read permissions. The vulnerability, assigned CVE-2023-45793, is significant due to the potential exploitation by locally logged on users to escalate their privileges, compromising system security.
Mitigations recommended by Siemens include updating to Siveillance Control version V3.1.1 or newer, along with restricting access to the device hosting the frontend. Additionally, securing network access, following operational guidelines for industrial security, and implementing recommended cybersecurity strategies are advised to reduce the vulnerability’s risk. Organizations are urged to assess impacts, deploy defensive measures, and stay proactive in defending industrial control assets against potential threats.
The disclosure and mitigation of this vulnerability aim to enhance cybersecurity resilience within critical infrastructure sectors worldwide, emphasizing the importance of timely and thorough security measures to mitigate risks effectively. The collaborative effort between Siemens, CISA, and users is crucial in addressing and resolving vulnerabilities to maintain the integrity and security of industrial control systems.
