Siemens Mitigates WinCC TIA Bugs

Thursday, March 21, 2013 @ 06:03 PM gHale


Siemens produced new software that mitigates a boatload of vulnerabilities in its WinCC TIA (Totally Integrated Automation) Portal (HMI), according to a report on ICS-CERT.

Researchers Billy Rios and Terry McCorkle of Cylance; Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, and Ilya Karpov from Positive Technologies; and Shawn Merdinger identified the vulnerabilities.

RELATED STORIES
Schneider Mitigates Vulnerabilities
Indusoft Produces Hotfix for Bug
Emerson Issues Controller Hotfix
Mitigation for Emergency Broadcast System

These vulnerabilities are not exploitable remotely and cannot end up exploited without user interaction. An attacker must use social engineering on a valid user or have user credentials.

No known public exploits target this vulnerability.

WinCC (TIA Portal) V11 (all versions) suffers from the issue.

The vulnerabilities affect the HMI’s Web server and the internal password store. Possible attacks require either physical access to the HMI or an authenticated user, so an attacker must either have valid user credentials or must use social engineering as a legitimate user. In addition, the Web server of the system must end up enabled for the Web-based vulnerabilities.

Munich, Germany-based Siemens develops products mainly in the energy, transportation, and healthcare sectors.

Siemens WinCC TIA Portal is an HMI software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. It performs: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use in quite a few industries, including food and beverage, water and wastewater, oil and gas, and chemical.

User credentials for the HMI’s Web application are stored within the HMI’s system. These data end up obfuscated in a reversible way and are readable and writable for users with physical access or Sm@rt Server access to the system.

CVE-2011-4515 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.

By manipulating HTTP requests, an authenticated attacker may crash the HMI’s Web application. The Web application will become unavailable until the device restarts.

CVE-2013-0669 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.

The HMI’s Web application is susceptible to stored cross-site scripting attacks. An authenticated user may store data on the Web application that will execute malicious JavaScript when uses access the affected page.

CVE-2013-0672 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.

By manipulating the URL an authenticated attacker may have access to source code of the panel’s server-side Web application files, which may include user defined scripts.
CVE-2013-0671 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.

If a user clicks on a malicious link that seems to lead to an HMI Web application, it is possible to display data to the user (HTTP response splitting). The attacker does not gain access to the file system.

CVE-2013-0670 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

If a user clicks on a malicious link that seems to lead to an HMI Web application, it is possible to display data to the user (server-side script injection). The attacker does not gain access to the file system.

CVE-2013-0667 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

The HMI’s Web application is susceptible to reflected cross-site scripting attacks. If a legitimate user clicks on a malicious link, JavaScript code may execute, and session information may end up stolen.

CVE-2013-0668 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

An attacker with a low to medium skill would be able to exploit these vulnerabilities.



Leave a Reply

You must be logged in to post a comment.