Siemens disclosed a critical vulnerability in an old power measuring device that enables a remote attacker to gain administrator access by brute-forcing a four-digit PIN.
The flaw, tracked as CVE-2024-41798, affects the SENTRON 7KM PAC3200 model of energy monitoring devices and has a CVSS score of 9.3. Due to the SENTRON 7KM PAC3200 being a cancelled product as of 2019, no fix is planned for the critical flaw.
Siemens SENTRON 7KM PAC3200 devices are only protected by a four-digit PIN that is not protected from brute-force attacks, in which every possible PIN combination (10,000 combinations) is attempted to eventually gain access.
The vulnerable devices can be accessed remotely via a Modbus TCP interface, which communicates with the devices in cleartext (without encryption). An attacker with access to the Modbus TCP interface could therefore not only brute-force the PIN to gain access, but also potentially monitor, or “sniff,” communications to the SENTRON 7KM PAC3200 to capture the PIN and ultimately gain access.
According to an FAQ page on the PAC3200, a PIN is needed to change device settings, change or delete values or parameters, delete data and memory content, set and reset energy counts and reset the device to factory settings. The FAQ also includes a note that the PIN is “not a security mechanism” and solely designed to protect against unintentional operating errors.
With no patch available for CVE-2024-41798, users are urged to protect network access to the devices and follow Siemens’ guidelines for industrial security. To eliminate the flaw, users will need to replace the older model with the successor product, SENTRON 7KM PAC3220, which disables administrative write access from the remote interface and extends protection against brute-force attacks.
