Siemens Mitigates SIMATIC Holes

Wednesday, July 27, 2016 @ 09:07 AM gHale


Siemens mitigated two vulnerabilities in its SIMATIC WinCC, PCS 7, and WinCC Runtime Professional, according to a report with ICS-CERT.

Attackers exploiting these vulnerabilities could possibly extract arbitrary files or remotely execute arbitrary code.

RELATED STORIES
Siemens glibc Library Fix Update
Schneider Mitigates Video System Issue
Moxa Clears MGate Vulnerability
Schneider Fixes SoMachine Vulnerability

The remotely exploitable vulnerabilities, which ended up reported directly to Siemens by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab, affect the following products:
• SIMATIC WinCC:
V7.0 SP 2 and earlier versions
V7.0 SP 3: All versions
V7.2: All versions prior to 7.2 Update 13
V7.3: All versions prior to 7.3 Update 10
V7.4: All versions prior to 7.4 Update 1

• SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7):
V7.1 SP4 and earlier versions
V8.0: All versions
V8.1: All versions prior to 8.1 SP1 with WinCC V7.3 Update 10
V8.2: All versions prior to 8.2 with WinCC V7.4 Update 1

• SIMATIC WinCC Runtime Professional: All versions prior to V13 SP 1 Update 9

Siemens is a multinational company headquartered in Munich, Germany.

The affected products are: SIMATIC WinCC, a supervisory control and data acquisition (SCADA) system; and PCS7, a distributed control system (DCS) integrating SIMATIC WinCC. These products see action across several sectors including chemical, energy, food and agriculture, and water and wastewater systems. Siemens said these products see use on a global basis.

Specially crafted packets sent to SIMATIC WinCC or WinCC Runtime Professional could allow remote code execution for unauthenticated users.

CVE-2016-5743 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, specially crafted packets sent to SIMATIC WinCC could allow unauthenticated users to extract arbitrary files from the WinCC station. This vulnerability only affects WinCC V7.0 and WinCC V7.2.

CVE-2016-5744 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill would be able to exploit these vulnerabilities.

Siemens has produced updates for the following products and said users should upgrade to the new versions as soon as possible:

SIMATIC WinCC V7.2
• Update to WinCC V7.2 Update 13

SIMATIC WinCC V7.3
• Update to WinCC V7.3 Update 10

SIMATIC WinCC V7.4
• Update to WinCC V7.4 Update 1

SIMATIC PCS 7 V8.1 SP1:
• WinCC: Update to WinCC V7.3 Update 10
• SIMATIC BATCH: Update to SIMATIC BATCH V8.1 SP1 Upd. 9
Contact Customer Support
• OpenPCS 7: Update to OpenPCS 7 V8.1 Upd. 3
Contact Customer Support
• Route Control: Update to Route Control V8.1 Update 2

SIMATIC PCS 7 V8.2:
• WinCC: Update to WinCC V7.4 Update 1
• OpenPCS 7: Update to OpenPCS7 V8.2 Update 1
• Route Control: Update to Route Control V8.2 Update 1
• BATCH: Update to BATCH V8.2 Update 1

https://support.industry.siemens.com/cs/ww/en/view/109738678

SIMATIC WinCC Runtime Professional V13
• Update to WinCC Runtime Professional V13 SP1 Update 9

Until the user can apply the updates, Siemens recommends the following steps to mitigate the risk:
1. Always run WinCC, WinCC Runtime Professional, and PCS 7 stations within a trusted network.
2. Ensure WinCC, WinCC Runtime Professional, and PCS 7 stations communicate via encrypted channels only (e.g., activate feature “Encrypted Communications” in WinCC V7.3 and PCS 7 V8.1 SP1, or establish a VPN tunnel).
3. Restrict access to the WinCC, WinCC Runtime Professional and PCS 7 stations to trusted entities.
4. Apply up-to-date application whitelisting software and virus scanners.

For more information on these vulnerabilities and more detailed mitigation instructions, see Siemens Security Advisory SSA-378531.

As a general security measure Siemens recommends protecting network access to the WinCC and PCS 7 stations with appropriate mechanisms. Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.