Siemens Fixes Mobile App Vulnerabilities

Tuesday, March 10, 2015 @ 05:03 PM gHale


Siemens created a new mobile application called SPC Connect that mitigates vulnerabilities in its SPCanywhere mobile application, according to a report on ICS-CERT.

Some of these vulnerabilities could end up exploited remotely; others require local access. Karsten Sohr, Bernhard Berger, and Kai Hillmann from the TZI-Bremen, Kim Schlyter, Seyton Bradford, and Richard Warren from FortConsult, and Stefan Schuhmann discovered the vulnerabilities.

RELATED STORIES
Siemens Mitigates DoS Vulnerability
Siemens Fixes SPC Controller DoS
Siemens Updates Search Path Hole
Siemens Working out GHOST Vulnerability

The following SPCanywhere versions suffer from the issue:
• SPCanywhere Android Application: All versions, and
• SPCanywhere iOS Application: All versions.

An attacker exploiting these vulnerabilities may be able to capture or modify privileged information, inject code, or bypass access control.

Siemens is a multinational company headquartered in Munich, Germany.

The affected product, SPCanywhere is a mobile application that allows users to access Siemens SPC intrusion alarm systems remotely via mobile phone. It allows users to view and control several sites, enable or disable SPC intrusion alarm systems, open doors, control outputs, and check the status of the installation. SPCanywhere sees action primarily in building automation. Siemens estimates that these products see use worldwide.

The affected mobile application performs unencrypted system ID to IP address lookups. This could allow attackers to obtain the IP address of an intrusion alarm system and to redirect users if the attacker has a privileged network position. This vulnerability affects the Android and iOS version of SPCanywhere.

CVE-2015-1595 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Improper SSL certificate validation could allow an attacker to capture or modify data in sessions protected with SSL/TLS if the attacker has a privileged network position. This vulnerability affects the Android and iOS version of SPCanywhere.

CVE-2015-1596 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

Unencrypted code loading could allow attackers to inject code and to perform actions on the mobile device based on the applications privileges. An attacker requires a privileged network position to exploit this vulnerability. This vulnerability affects the Android version of SPCanywhere.

CVE-2015-1597 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

The existing storage mechanism for the application specific password could allow attackers with physical access to the mobile device to extract the password. This vulnerability affects the Android version of SPCanywhere.

CVE-2015-1598 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

The existing file system architecture could allow attackers to bypass the access control of SPCanywhere if an attacker has physical access. This vulnerability affects the iOS version of SPCanywhere.

CVE-2015-1599 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 2.1.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit some of these vulnerabilities, others require more skill.

Siemens released a new solution which includes a new portal, the new firmware update for controller devices, and a new mobile application SPC Connect for Android and iOS. The new solution fixes all of the vulnerabilities listed above. Siemens strongly recommends all users migrate to the new solution.

For a smooth transition, SPCanywhere will continue to be available in the mobile application stores for a few more months. It will then end up removed from the Apple App Store and Google Play Store.

The new app SPC Connect for Android via Google’s Play Store.

The new app SPC Connect for iOS via Apple’s App Store.

Click here for further information on the new solution SPC Connect.

Registered users can click here to obtain the new controller firmware version.

For more information on these vulnerabilities and detailed instructions, please see Siemens Security Advisory SSA-185226.



Leave a Reply

You must be logged in to post a comment.