Siemens Advisory on Mitigating PLC Holes

Wednesday, December 14, 2016 @ 10:12 AM gHale

Siemens released a security advisory on how to mitigate a password leak and denial-of-service (DoS) vulnerabilities in its S7-300 and S7-400 programmable logic controllers (PLCs), according to a report with ICS-CERT.

These vulnerabilities, discovered by Zhu WenZhe from Beijing Acorn Network Technology, are remotely exploitable.

RELATED STORIES
INTERSCHALT Clears Path Traversal
Adcon Mitigates Gateway Issues
Sauter Won’t Update NovaWeb Hole
Moxa Clears Session Hijack Holes

The vulnerabilities affect the following versions of SIMATIC PLC family:
• SIMATIC S7-300 CPU family: All versions
• SIMATIC S7-400 CPU family: All versions

Successful exploitation of these vulnerabilities could lead to a DoS condition or result in credential disclosure.

Siemens is a multinational company headquartered in Munich, Germany.

The affected products, SIMATIC S7-300 and S7-400 PLC family, work in process control in industrial environments. SIMATIC S7-300 and S7-400 PLCs see action across several sectors including chemical, energy, food and agriculture, and water and wastewater systems. Siemens said these products see use on a global basis.

An attacker with network access to Port 102/TCP (ISO-TSAP) could obtain credentials from the PLC if Protection-level 2 ends up configured on the affected devices. This vulnerability affects all listed affected products.

CVE-2016-9159 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, specially crafted packets sent to Port 80/TCP could cause the affected devices to go into defect mode. A cold restart would end up required to recover the system. This vulnerability affects all SIMATIC S7-300 PN CPUs, and all SIMATIC S7-400 PN V6 and V7 CPUs.

CVE-2016-9158 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Siemens recommends the following mitigations:
• Deactivate the web server
• Apply Protection-level 3 read/write protection
• Apply cell protection concept
• Apply defense-in-depth strategies
• Use VPN for protecting network communication between cells

Siemens recommends users protect network access with appropriate mechanisms like firewalls, segmentation and a VPN. Siemens also said users should configure the operational environment according to Siemens’ Operational Guidelines for Industrial Security.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-731239.



Leave a Reply

You must be logged in to post a comment.