Mitigations for Siemens Industrial Plant Clocks

Tuesday, July 3, 2018 @ 03:07 PM gHale

Siemens has mitigations in place to clear up vulnerabilities in its SICLOCK TC100 and SICLOCK TC400, according to a report on its CERT portal.

The vulnerabilities, rated critical, affect all versions of both products.

Medtronic Updates for MyCareLink Monitor Holes
Medtronic Updates Carelink Fix
Delta Electronics Fixes Vulnerability
Rockwell Fixes CompactLogix, Compact GuardLogix Hole

Siemens SICLOCK devices synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source.

SICLOCK systems are affected by six vulnerabilities. The security holes have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856.

Since the SICLOCK TC100 and SICLOCK TC400 are in the process of being phased out, Siemens has not released any firmware updates, and instead advised customers to apply a series of workarounds and mitigations that should reduce the risk of attacks.

Mitigations include the installation of redundant time sources and implementation of plausibility checks for critical controllers in the plant, and protecting network access to impacted devices.

Three of the flaws have been classified as critical.

One of them allows an attacker with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition – and possibly reboot – by sending it specially crafted packets.

The core functionality of the device could end up impacted by an attack. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed, Siemens said in its advisory.

Another critical vulnerability can be exploited by an attacker with access to UDP port 69 to modify the firmware on a targeted SICLOCK device. Access to the same port is also required for the exploitation of a different critical flaw that allows an attacker to modify the administrative client stored on the device and execute arbitrary code.

A high severity flaw disclosed by Siemens can allow a network attacker to bypass authentication, but exploitation requires the hacker to obtain specific information about the targeted device.

The remaining security holes are a medium severity issue that allows a man-in-the-middle (MitM) attacker to intercept unencrypted passwords stored in client configuration files, and a low severity bug that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Four of the six vulnerabilities can be exploited without any user interaction.

Siemens said it is not aware any cases where these flaws have undergone exploitation.

As a general security measure, Siemens recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security.

Leave a Reply

You must be logged in to post a comment.