Siemens Fixes SIMATIC WinCC Holes

Wednesday, October 8, 2014 @ 02:10 PM gHale


Siemens created an update that mitigates vulnerabilities in its SIMATIC WinCC application, according to a report on ICS-CERT.

Researchers Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai of Positive Technologies identified four of five vulnerabilities and an anonymous researcher identified the remaining vulnerability. All but one of the reported vulnerabilities could are remotely exploitable.

RELATED STORIES
Schneider Mitigates ClearSCADA Holes
Rockwell Repairs DNP3 DoS Vulnerability
SchneiderWEB Server Directory Traversal Fixed
Patches Ready for Bash Hole

The following Siemens products suffer from the issue:
• SIMATIC WinCC: all versions prior to Version 7.3
• SIMATIC PCS7 (as WinCC is incorporated): all versions prior to Version 8.1

Successful exploitation of these vulnerabilities may allow an attacker to obtain unauthorized access to sensitive data and allow unauthorized privilege escalation.

Siemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health, and transportation systems sectors.

SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system used to monitor and control physical processes involved in industry and infrastructure. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical.

The SIMATIC WinCC WebNavigator server at Port 80/TCP and Port 443/TCP could allow unauthenticated access to sensitive data with specially crafted HTTP requests.

CVE-2014-4682 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Existing access control settings of the WinCC WebNavigator server at Port 80/TCP and Port 443/TCP could allow remote authenticated users to escalate their privileges in WinCC.

CVE-2014-4683 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.9.

The database server of SIMATIC WinCC could allow authenticated users to escalate their privileges in the database if a specially crafted command goes out to the database server at Port 1433/TCP.

CVE-2014-4684 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.0.

Access permissions on system objects could allow a local user to obtain limited escalated privileges within the operating system.

CVE-2014-4685 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

A hard-coded cryptographic key could allow privilege escalation in the WinCC Project administration application if network communication on Port 1030/TCP of a legitimate user can end up captured.

CVE-2014-4686 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

These vulnerabilities could end up exploited remotely except for vulnerability CVE-2014-4685, which requires an attacker to have local access to the system.

No known public exploits specifically target these vulnerabilities. An attacker with a moderate to low skill would be able to exploit these vulnerabilities.

Siemens released SIMATIC WinCC V7.3, which fixes the five vulnerabilities, and recommends upgrading as soon as possible. The updated software can end up ordered via the customer support web site.

Additional information about SIMATIC WinCC V7.3 is available at this location.

Siemens released SIMATIC PCS7 V8.1, which fixes the five vulnerabilities, and recommends upgrading as soon as possible. The updated software can end up ordered via the customer support web site.

Additional information about the new SIMATIC PCS7 V8.1 is available here.

Until the updates can deploy, Siemens advises asset owners to apply the following steps to mitigate the risk:
• Limit the WebNavigator server access to trusted networks and clients
• Ensure that the WebNavigator clients authenticate themselves against the WebNavigator server (e.g., use client certificates)
• Restrict access to the WinCC database server at Port 1433/TCP to trusted entities
• Deactivate all unnecessary OS users on WinCC server
• Run WinCC server and engineering stations within a trusted network
• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g., establish a VPN tunnel)

SIMATIC WinCC V7.3 introduces the feature “Encrypted Communications.” The feature allows operators to add an extra layer of security to protect server communication. Siemens strongly recommends activating this feature.

For more information click on the Siemens’ Security Advisory, SSA-214365.



Leave a Reply

You must be logged in to post a comment.