Siemens Patches WinCC Holes

Friday, September 14, 2012 @ 05:09 PM gHale

Siemens created an update that mitigates vulnerabilities in the Siemens WinCC WebNavigator application.

Siemens reports these vulnerabilities, which came straight to them from Positive Technologies, affect the WebNavigator component of WinCC 7.0 SP3 and earlier, according to a report on ICS-CERT.

RELATED STORIES
Honeywell Fixes HMIWeb Browser Hole
Hole Exists; Wrong Vendor Selected
InduSoft Vulnerability Released
More Holes with RuggedCom

Successful exploitation of these remotely exploitable vulnerabilities could allow an attacker to access sensitive data or possibly take over the WebNavigator session with the same rights as the victim.

WinCC/Web Navigator is a WinCC option that provides a Web interface for the Siemens SIMATIC WinCC Human Machine Interface (HMI). SIMATIC WinCC performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use in quite a few industries, including food and beverage, water and wastewater, oil and gas, and chemical.

In a cross site scripting vulnerability, an attacker can use social engineering to trick an authenticated user into clicking a malicious link. This action may execute a java script in the victim’s browser, which can have malicious behavior such as stealing a session cookie. CVE-2012-3031 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Cross site request forgery is similar to the cross site scripting vulnerability. It can also trigger by an authenticated user clicking on a malicious link. However, this vulnerability also works if the user has disabled scripting in his or her browser. CVE-2012-3028 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

If an attacker knows or guesses the right path and/or file name, he or she can read files on the system that hosts WebNavigator. CVE-2012-3030 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

If an attacker sends a specially crafted SOAP (Simple Object Access Protocol) message to the server, the resulting SQL queries might read or write more data in the database than originally intended. CVE-2012-3032 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

WebNavigator uses ActiveX controls in the user’s browser. The methods of these ActiveX controls can call any Web site this user visits. By using specially crafted parameters with these methods, an attacker can gain access to the username and password of a legitimate user.

One precondition is to exploit this vulnerability, the attacker needs access to the Web server. CVE-2012-3034 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Siemens addresses these issues in a Siemens Security Advisory, SSA-864051, which is available on its Web site.

Siemens provides an update for WinCC 7.0 SP2, which fixes all vulnerabilities except the cross site request forgery. The company recommends installing the patch. Siemens also recommends users restrict access to WebNavigator, e.g., with a firewall or VPN gateway or to operate the service only within trusted networks.

No patch is yet available for vulnerability 2; Siemens recommends the following:
• Do not interact with other Internet-related services while logged in.
• Log out when the user does not need WebNavigator any more.



Leave a Reply

You must be logged in to post a comment.