Siemens Mitigates Sm@rtClient Holes

Wednesday, January 14, 2015 @ 11:01 AM gHale


Siemens mitigated authentication vulnerabilities in its SIMATIC WinCC Sm@rtClient application, according to a report on ICS-CERT.

These vulnerabilities ended up reported directly to Siemens by Kim Schlyter, Seyton Bradford, and Richard Warren from FortConsult (NCC Group).

RELATED STORIES
Insecure ICS/SCADA Java Client Fixed
ICS Software Authentication Hole Found
Schneider Patches InTouch Buffer Overflow
HART DTM Vulnerability Fixed

The following SIMATIC WinCC Sm@rtClient versions suffer from the issue:
• SIMATIC WinCC Sm@rtClient: All versions prior to V1.0.2
• SIMATIC WinCC Sm@rtClient Lite for iOS: All versions prior to V1.0.2.

An attacker with local access could use these vulnerabilities to escalate privileges on the application or the servers with which the application is communicating.

Siemens is an international company headquartered in Munich, Germany. The SIMATIC WinCC Sm@rtClient application, in combination with the SIMATIC WinCC Sm@rtServer, allows remote mobile operation and observation of SIMATIC HMI systems.

This software deploys across several sectors including chemical, energy, food and agriculture, and water and wastewater systems. Siemens estimates these products see use primarily in the United States and Europe with a small percentage in Asia.

The existing storage mechanism for the application specific password could allow attackers to extract the password and gain access to the application if local access is available.

CVE-2014-5231 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

In case an application specific password ends up set, the user would not get a prompt to enter the password if the application resumed from the background.

CVE-2014-5232 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

The implemented mechanism to process Sm@rtServer credentials could allow attackers to extract the credentials if local access is available.

CVE-2014-5233 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

An attacker must have local access to the mobile device to exploit these vulnerabilities. No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Siemens has released SIMATIC WinCC Sm@rtClient V1.0.2 for iOS, which fixes these vulnerabilities and recommends upgrading as soon as possible. These updates are available on iTunes at:
SIMATIC WinCC Sm@rtClient Lite
SIMATIC WinCC Sm@rtClient

For more information on these vulnerabilities and detailed instructions, please see Siemens Security Advisory SSA-311299.



Leave a Reply

You must be logged in to post a comment.