Siemens PLC Vulnerability Update

Monday, August 1, 2011 @ 04:08 PM gHale

Siemens confirmed the ability to access internal diagnostic functions does affect certain S7-300 PLCs, but not the S7-400 PLCs, according to the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

The ability to access internal diagnostic functions is present in older versions of the S7-300 firmware. This includes S7-300 PLCs with integrated Profinet interface shipped before October 2009, and IM15x Profinet PLCs shipped before September 2010. Security Researcher Dillion Beresford first found the vulnerability.

RELATED STORIES
Wonderware Vulnerability Patched
Web Sites to Find if You’re a Target
Siemens PLC Security Alert
WinCC Vulnerabilities Patched

CPUs and firmware affected include:
• CPU315(including F)-2PN/DP, V2.6 and previous, fixed in V3.1 and the date fixed was 10/2009.
• CPU317(including F)-2PN/DP, V2.6 and previous, fixed in V3.1 and the date fixed was 10/2009.
• CPU319(including F)-3PN/DP, V2.7 and previous, fixed in V2.8, and the date fixed was 6/2009.
• IM151-8(including F) PN/DP CPU, V2.7, fixed in V3.2, and the date fixed was 08/2010.
• IM154-8 PN/DP CPU, V2.5, fixed in V3.2, and the date fixed was 08/2010.

For more information on how users can mitigate the vulnerability, click on Siemens service and support web site.

Beresford first revealed on July 23 a vulnerability affecting the Siemens S7-300 and S7-400 PLCs, according to the Industrial Control System Cyber Emergency Response Team (ICS-CERT). The researcher said he was able to achieve a command shell using credentials he was able to acquire from the PLC. So far, those claims have not yet been verified by ICS-CERT or Siemens.

ICS-CERT is currently working with Siemens to validate the claim.

Siemens S7-300 and S7-400 PLCs see use in a wide variety of industrial applications worldwide.

Siemens has had a tough run as of late as security experts found a potential security weakness in the programming and configuration client software authentication mechanism used by the Siemens SIMATIC S7 family of programmable controllers, including the S7-200, S7-300, S7-400, and the S7-1200.

The potential exists for an attacker with access to the product or the control system communication link, to intercept and decipher the product’s password and potentially make unauthorized changes to the product’s operation.

In addition, there were exploitable crashes found in the Siemens SIMATIC WinCC SCADA product. Specially crafted files can cause memory corruption or pointer issues, which can cause the system to crash.

Also, Stuxnet exploited vulnerabilities in Siemens systems. That targeted attack could have happened to any one of the vendors. It just happened the Iranian nuclear site was running Siemens products.

As a result of his highly complex and impressive piece of software, security professionals will link Siemens and Stuxnet for years to come.



Leave a Reply

You must be logged in to post a comment.