Siemens Fixes SiPass Integrated

Thursday, July 13, 2017 @ 03:07 PM gHale


Siemens released a new version of SiPass integrated to mitigate multiple vulnerabilities, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, which Siemens self-reported, include an improper authentication, improper privilege management, channel accessible by non-endpoint, and storing passwords in a recoverable format issues.

RELATED STORIES
Siemens Upgrades SIMATIC Logon Software
Fuji Mitigates Electric V-Server Issue
ABB Clears WiFi Logger Card Hole
Fix is in for PI Coresight

SiPass integrated: All versions prior to V2.70 suffer from the vulnerabilities.

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to the server to perform administrative operations.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.

In one vulnerability, an attacker with network access to the SiPass integrated server could bypass the authentication mechanism and perform administrative operations.

CVE-2017-9939 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, an attacker with access to a low-privileged user account can read or write files on the file system of the SiPass integrated server over the network.

CVE-2017-9940 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

Also, an attacker in a man-in-the-middle position between the SiPass integrated server and SiPass integrated clients could read or modify the network communication.

CVE-2017-9941 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.4.

In addition, an attacker with local access to the SiPass integrated server or SiPass integrated client could potentially obtain credentials from the systems.

CVE-2017-9942 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.2.

The product sees use in the energy, healthcare and public health, and transportation systems sectors. It also sees action on a global basis.

Munich, Germany-based Siemens provides SiPass integrated V2.70, which fixes the vulnerabilities, and recommends users update to the new version. The new version can be obtained from Siemens customer support or from authorized partners.

For more information on these vulnerabilities and more detailed mitigation instructions, click on Siemens Security Advisory SSA-339433.



Leave a Reply

You must be logged in to post a comment.