Holes Found in Siemens WinCC

Tuesday, September 13, 2011 @ 04:09 PM gHale

There is now a memory corruption vulnerability in the WinCC Runtime Advanced Loader, which is a component of Siemens SIMATIC WinCC flexible and TIA Portal.

Independent security researchers Billy Rios and Terry McCorkle found the vulnerability and is coordinating the issue with ICS-CERT and Siemens.

RELATED STORIES
ICS, SCADA Boot Camp 2.0
Symantec Hit with Multiple Vulnerabilities
Siemens PLC Analysis Report
SCADA Hacking via Search Engines

Siemens has not issued a patch to address this vulnerability, but the industrial automation giant has provided recommended mitigations to assist asset owners with protecting their systems. ICS-CERT originally released an advisory on Sept. 1, but delayed public notice to allow users sufficient time to download and install the update.

The following software packages are vulnerable: Siemens SIMATIC WinCC flexible Runtime, and Siemens SIMATIC WinCC (TIA Portal) Runtime Advanced.

If an attacker was successful exploiting this vulnerability, it may result in the ability to execute arbitrary code on the targeted human-machine interface system.

Siemens SIMATIC WinCC flexible and WinCC (TIA Portal) Runtime Advanced is a software package used for visualization and machines for small system operations. These products run on standard PCs or on Siemens panel PCs. This software sees use in industries such as food and beverage, water and wastewater, oil and gas, and chemical.

In terms of the vulnerability, the runtime loader does not properly sanitize inputs on 2308/TCP. A specially crafted packet can result in memory corruption, leading to a denial of service. Remote code execution may also be possible.

The vulnerability is remotely exploitable if a system has undergone configuration with the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader enabled.

Siemens will not patch this vulnerability. Disabled by default, the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader feature only sees use when updating firmware. Siemens has updated the product documentation to advise users to disable this feature except when it is active.

Siemens recommends their customers protect control systems according to Control Systems Security Program (CSSP) recommended security practices and they configure the environment according to the Siemens operational guidelines. Users should monitor network traffic to 2308/TCP and control traffic to the WinCC system.

Click here for Siemens Security Advisory.