Siemens Patches SIMATIC S7-1500 Holes

Monday, March 17, 2014 @ 06:03 PM gHale


Siemens created a patch that mitigates nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware, according to a report on ICS-CERT.

Siemens and Positive Technology researchers (Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin) discovered the remotely exploitable vulnerabilities. SIMATIC S7-1500 CPU family, all versions older than V1.5 suffer from the issue.

RELATED STORIES
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes
Schneider OFS Buffer Overflow
Schneider Fixes Bug, Patches Others

The multiple vulnerabilities discovered in the SIMATIC S7-1500 CPU firmware may allow attackers to perform denial-of-service (DoS) attacks with specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. The integrated web server may also be vulnerable to cross-site request forgery (CSRF), cross-site scripting (XSS), header injection, and open redirect attacks as well as privilege escalation. The vulnerabilities could end up exploited over the network without authentication.

Siemens is a multinational company headquartered in Munich, Germany. Products in the Siemens SIMATIC S7-1500 CPU family are for process control in Critical Infrastructure Sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems.

The web server of the affected PLCs (port 80/TCP and port 443/TCP) might allow CSRF attacks, compromising integrity and availability of the affected device. An attacker would need additional social engineering for this exploit.

CVE-2014-2249 is the case number for this vulnerability, which has a CVSS v2 base score of 5.8.

The integrated web server (Port 80/TCP and Port 443/TCP) of the affected device might be vulnerable to XSS attacks. Additional social engineering would end up needed for this exploit.

CVE-2014-2246 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

The integrated web server (Port 80/TCP and Port 443/TCP) of the affected device might allow attackers to inject HTML headers. Additional social engineering would end up required for this exploit.

CVE-2014-2247 is the case number for this vulnerability, which has a CVSS v2 base score of 5.8.

Because of low entropy in its random number generator, the authentication of the integrated web server (Port 80/TCP and Port 443/TCP) of S7-1500 PLCs might allow attackers to hijack web sessions over the network without authentication.

CVE-2014-2251 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

The integrated web server (Port 80/TCP and Port 443/TCP) of the affected device might allow attackers to redirect users to untrusted web sites. Additional social engineering would end up needed for this exploit.

CVE-2014-2248 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Specially crafted packets sent on Port 443/TCP (HTTPS) might cause the device to go into defect mode, effectively causing a DoS. A cold restart would have to take place to recover the system.

CVE-2014-2259 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Specially crafted Profinet packets sent to the affected device might cause the device to go into defect mode, effectively causing a DoS. A cold restart would have to take place to recover the system. In addition, the attacker must have access to the local Ethernet segment.

CVE-2014-2253 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.1.

Specially crafted packets sent on Port 80/TCP (HTTP) might cause the device to go into defect mode, effectively causing a DoS. A cold restart would have to take place to recover the system.

CVE-2014-2255 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Specially crafted packets sent on Port 102/TCP (ISO-TSAP) might cause the device to go into defect mode, effectively causing a DoS. A cold restart must take place to recover the system.

CVE-2014-2257 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities. An attacker with moderate skill would be able to exploit these vulnerabilities.

Siemens addresses all these issues in a security advisory.

Siemens has provided a firmware update (V1.5.0), which fixes the reported vulnerabilities. Click here to get a copy of this firmware update.

Siemens strongly recommends protecting network access to S7-1500 CPUs with appropriate mechanisms. Siemens advises following recommended security practices and configuring the environment according to operational guidelines in order to run the devices in a protected IT environment.

Siemens recommends operating the devices only within trusted networks (Information about Industrial Security by Siemens).



Leave a Reply

You must be logged in to post a comment.