Siemens Fixes for SIMATIC Holes

Tuesday, January 31, 2012 @ 03:01 PM gHale


There are now mitigation strategies for the vulnerabilities in Siemens SIMATIC WinCC Human-Machine Interface (HMI) application, according to a report from ICS-CERT.

The organization coordinated the vulnerabilities with security researchers Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma and Siemens.

RELATED STORIES
Siemens Default Password Issues
MICROSYS SCADA Vulnerabilities
Nightmare for Dream Report
Symposium Releases Vulnerabilities

Siemens said the following software packages are vulnerable:
• WinCC flexible versions 2004, 2005, 2007, 2008
• WinCC V11 (TIA portal)
• Multiple SIMATIC HMI panels (TP, OP, MP, Comfort Panels, Mobile Panels)
• WinCC V11 Runtime Advanced
• WinCC flexible Runtime.

Conversely, Siemens said the following related products do not suffer from the vulnerabilities:
• WinCC V11 (TIA Portal) Basic
• WinCC V11 (TIA Portal) Runtime Professional
• WinCC V6.x and V7.x.

Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.

Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. SIMATIC HMI performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use in the food and beverage, water and wastewater, oil and gas, and chemical industries.

The following are descriptions of the vulnerabilities:
INSECURE AUTHENTICATION TOKEN GENERATION
When a user (or administrator) logs on, the application sets predictable authentication token/cookie values. This can allow an attacker to bypass authentication checks and escalate privileges.

CVE-2011-4508 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

WEAK DEFAULT PASSWORDS
The default administrator password is weak and easily brute forced. Siemens changed the documentation to encourage users to change the password at first login.

CVE-2011-4509 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 10.0.

CROSS-SITE SCRIPTING VULNERABILITIES
SIMATIC HMI Smart Options web server is vulnerable to two separate cross-site scripting attacks that may allow elevation of privileges, data theft, or service disruption.

CVE-2011-4510 and CVE-2011-4511 are the numbers assigned to these vulnerabilities. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 4.3.

HEADER INJECTION VULNERABILITY
The HMI web server is vulnerable to header injection that may allow elevation of privileges, data theft, or service disruption.

CVE-2011-4512 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 4.3.

CLIENT–SIDE ATTACK VIA SPECIALLY CRAFTED FILES
This vulnerability can allow an attacker to execute arbitrary code via specially crafted project files. This may require social engineering to get the operator to download the files and execute them.

CVE-2011-4513 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 10.0.

LACK OF TELNET DAEMON AUTHENTICATION
SIMATIC panels include a telnet daemon by default; however, the daemon does not include any authentication functions.

CVE-2011-4514 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 10.0.

STRING STACK OVERFLOW
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode activates but does not properly validate the length of data segments and Unicode strings, which may cause a stack overflow. This vulnerability may lead to remote code execution.

CVE-2011-4875 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

DIRECTORY TRAVERSAL
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode activates but does not properly validate incoming strings. This allows an attacker full access (read, write, and execute) to any file within the file system.

CVE-2011-4876 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

DENIAL OF SERVICE
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not sufficiently validate incoming data. Multiple vulnerabilities allow a denial-of-service (DoS) attack, which leads to a program crash.

CVE-2011-4877 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.1.

DIRECTORY TRAVERSAL
The HMI web server does not properly validate URLs within HTTP requests on Ports 80/TCP and 443/TCP. By manipulating URLs with encoded backslashes, directory traversal is possible. This allows an attacker read access for all files within the file system.

CVE-2011-4878 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.8.

ARBITRARY MEMORY READ ACCESS
The HMI web server does not properly validate HTTP requests. By manipulating the first byte within a URL, the server switches to a special interpretation of the URL. This allows an attacker to read the application process memory and perform a DoS attack by specifying invalid memory locations.

CVE-2011-4879 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 8.5.

An attacker would need user interaction to exploit the client-side attack via specialty crafted files vulnerability. The remaining vulnerabilities, however, can undergo remote exploitation.

There are publicly available exploits specifically targeting some of the vulnerabilities. All vulnerabilities would be very simple for a skilled attacker to exploit.

Exploiting the client-side attack via specialty crafted files vulnerability requires social engineering to convince the user to accept and load the malformed file.

MITIGATIONS
Each of the reported vulnerabilities has been addressed by Siemens, as follows:
• Insecure authentication token generation, cross-site scripting, header injection vulnerability, HMI web server directory traversal, and arbitrary memory read access vulnerabilities. Patches are in Siemens’ WinCC V11 (TIA Portal) SP2 Update 1 and WinCC flexible 2008 SP3.
• Weak default passwords: Product documentation contained in WinCC V11 (TIA Portal) SP2 Update 1, and WinCC flexible 2008 SP3 underwent an update to tell the user how to set a proper password during initial setup.
• Client-side attack via specially crafted files, runtime loader string stack overflow, runtime loader directory traversal, runtime loader DoS. Siemens recommends users deactivate the transfer mode after device configuration, because the transport mode provides full access to the device. The transport mode went in under the assumption the software would be running in a protected industrial environment. Siemens strongly recommends users protect systems according to recommended security practices and configure the environment according to the operational guidelines.
• Lack of telnet daemon authentication. As telnet is a clear text protocol, customers should be aware of corresponding risks. Users have the option of disabling the telnet function on SIMATIC panels when telnet is not in use. The telnet daemon is disabled by default in product versions WinCC flexible 2008 SP3 and newer, as well as WinCC V11 (TIA Portal) SP2 and newer.

Neither ICS-CERT nor the researchers who discovered the vulnerabilities validated the Siemens mitigations successfully resolve the reported vulnerabilities.



Leave a Reply

You must be logged in to post a comment.