Siemens Fixes STEP 7 TIA Portal Holes

Friday, February 20, 2015 @ 05:02 PM gHale

Siemens created a patch to fix two vulnerabilities in its SIMATIC STEP 7 (TIA Portal), according to a report on ICS-CERT.

These vulnerabilities first came to Siemens from the Quarkslab team and Dmitry Sklyarov with PT-Security. One of the vulnerabilities is remotely exploitable.

Yokogawa HART Device DTM Hole
Siemens Fixes WinCC Vulnerabilities
Siemens Offers STEP 7 Service Pack
Advantech Patches Buffer Overflow

The following SIMATIC STEP 7 (TIA Portal) versions suffer from the issue:
• V12
• V13: All versions prior to V13 SP1 Upd1

One vulnerability could allow for a successful man-in-the-middle attack, allowing the attacker to view and modify data sent between the user and the system. The other allows a user with local access the ability to reconstruct passwords.

Siemens is a multinational company headquartered in Munich, Germany.

The affected product, SIMATIC Step 7 (TIA Portal), is engineering software for SIMATIC products. This software works across several sectors including chemical, energy, food and agriculture, and water and wastewater systems. Siemens estimates these products see use primarily in the United States and Europe with a small percentage in Asia.

Attackers with access to the network path between the client and the server could possibly intercept or modify Siemens industrial communications at Port 102/TCP and conduct a man-in-the-middle attack.

CVE-2015-1601 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

Attackers with read access to TIA project files could possibly reconstruct protection-level passwords or web server passwords.

CVE-2015-1602 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 1.9.

The Man-in-the-middle vulnerability could end up exploited remotely, the password hash vulnerability requires local access.

No known public exploits specifically target these vulnerabilities. Crafting a working exploit for these vulnerabilities would be moderately difficult. Crafting a successful man-in-the-middle attack would require access to the network between the client and the server. Local access would be required to access to the project files with additional work required to reconstruct passwords. These factors decrease the likelihood of a successful exploit.

Siemens provides Update 1 for SIMATIC STEP 7 (TIA Portal) V13 SP1, which fixes the vulnerabilities. Click here to view the update.

After applying the update, Siemens recommends to change protection-level and web server passwords.

As a general security measure Siemens also recommends to protect network access with appropriate mechanisms. Siemens advises users to configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment. Click here for an overview of the operational guidelines for Industrial Security (with the cell protection concept).

For more information on these vulnerabilities and detailed instructions, see Siemens Security Advisory SSA-315836.

Leave a Reply

You must be logged in to post a comment.