Siemens has Fix for CA Vulnerability

Thursday, September 20, 2012 @ 06:09 PM gHale


There is a mitigation available for Siemens’ insecure HTTPS certificate storage vulnerability in the S7-1200 v2.x, according to a report on ICS-CERT.

The remotely exploitable vulnerability affects the SIMATIC S7-1200 V2.x.

RELATED STORIES
ORing SCADA Line Vulnerability
SCADA Directory Traversal Vulnerability
Partial Fix on OPC Server Holes
Siemens Patches WinCC Holes
Honeywell Fixes HMIWeb Browser Hole

An attacker may obtain a private key of the S7-1200 certificate authority for HTTPS and use it to create a forged certificate that can then act in a Man-in-the-Middle attack.

Products in the Siemens SIMATIC S7-1200 programmable logic controller (PLC) family see use for process control in industrial environments such as manufacturing, power generation and distribution, food and beverages, and chemical industries worldwide.

The certificate authority (CA) for HTTPS connections, installed on Siemens SIMATIC S7-1200 PLC, stores its private key insecurely. This key sees use for signing certificates. Once obtaining the key, an attacker may create a forged certificate. This can then complete a Man-in-the-Middle attack on a browser that already trusts this device’s CA.

The PLC also has a private key used to dynamically generate its own certificate. This key is different from the CA private key and is not vulnerable to this attack. CVE-2012-3037 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3

Siemens recommends the user uninstall the CA signing keys from the Web browser’s certificate store. The procedure for performing this task is specific to each browser. Once this happens, warning messages will occur when attempting to connect to an S7-1200 PLC. The user can manually confirm the identity of the PLC and accept its certificate via the browser. This has to happen once for each S7-1200 PLC on the network.



Leave a Reply

You must be logged in to post a comment.