Siemens Scalance Line Vulnerabilities

Friday, April 13, 2012 @ 03:04 PM gHale


Siemens issued two separate reports, and fixes, for vulnerabilities affecting its Scalance line of firewalls and switches

Siemens created a patch for two vulnerabilities in the Scalance S Security Module firewall, according to a report on ICS-CERT.

RELATED STORIES
GE, Modicon Metasploit Modules
CoDeSys, Wago Vulnerabilities
ABB WebWare Server Vulnerability
Wonderware Fixes Security Holes

One hole is a brute-force credential guessing vulnerability in the web configuration interface of the firewall and the second issue is a stack-based buffer overflow vulnerability in the Profinet DCP protocol stack.

The vulnerabilities first came to Siemens from Adam Hahn and Manimaran Govindarasu for coordinated disclosure.

The following Scalance S Security Modules suffer from the vulnerabilities: Scalance S602 V2; Scalance S612 V2, and Scalance S613 V2.

A successful exploitation of the brute-force vulnerability could allow an attacker to perform an arbitrary number of authentication attempts using a different password and eventually gain access to the targeted account.

Successful exploitation of the stack-based buffer overflow against the Profinet DCP protocol may lead to a denial of service (DoS) or possible arbitrary code execution.

The Scalance S product is a security module that includes a Stateful Inspection Firewall for industrial automation network applications. This security module should protect automation devices and industrial networks against unauthorized access and secure Ethernet-based industrial communication. It also should protect trusted industrial networks from outside facing or untrusted networks. All Scalance S Security Modules provide filtering of incoming and outgoing network connections with stateful packet inspection.

This product predominately sees use in Europe and Asia. However, there is some usage also in the U.S. The primary sectors deploying Scalance S are automotive, defense industrial base, energy, critical manufacturing, transportation systems, chemical, and water.

BRUTE-FORCE VULNERABILITY
The web server in the Scalance S Security Module does not implement sufficient measures to prevent rapid multiple authentication attempts within a short timeframe, making it susceptible to brute-force attacks by attackers with access to the web server. If the attacker obtains the administrative password, he can manipulate the configuration and gain access to the trusted network.

CVE-2012-1799 is the number assigned to this vulnerability, which has a CVSS V2 base score of 10.

STACK-BASED OVERFLOW
The Scalance S DCP protocol stack crashes when a specially crafted DCP frame is received, which may render the firewall unresponsive and interrupts established VPN tunnels. Successful exploitation of this vulnerability may lead to a DoS or possible arbitrary code execution.

CVE-2012-1800 is the number assigned to this vulnerability, which has a CVSS V2 base score of 6.1.

These vulnerabilities are remotely exploitable and an attacker with a moderate skill level would be able to exploit these vulnerabilities.

Siemens published a patch that resolves the vulnerabilities and strongly recommends installing the updates by using the following links:
The Siemens Security Advisory.
The firmware update.

Meanwhile, Siemens published a firmware update for a buffer overflow vulnerability in the web interface of the Scalance X Industrial Ethernet switch, which leaves the affected devices susceptible to a remote denial of service attack

This vulnerability came to Siemens by Jürgen Bilberger from Daimler TSS GmbH.

The following Scalance X products suffer from the issue:
• Scalance X414-3E
• Scalance X308-2M
• Scalance X-300EEC
• Scalance XR-300
• Scalance X-300

Successful exploitation of the vulnerability allows an attacker to perform malicious actions which may lead to a DoS or possible arbitrary code execution. These actions may ultimately impact the process environment.

Scalance X Industrial Ethernet switches are industrial grade Ethernet switches used to connect industrial components. This product line provides a web interface to manage controller configuration. Scalance X sees use in the agriculture and food, critical manufacturing, government facilities, dams, transportation systems, water, chemical, defense industrial base, energy, and communications sectors.

BUFFER OVERFLOW
The embedded web server does not properly sanitize URLs in HTTP requests. If an attacker requests a malformed URL from the web server, a vulnerable Scalance X switch reboots, inhibits further data transmission to the switch, and may allow arbitrary code execution.

CVE-2012-1802 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.8.

This vulnerability is remotely exploitable and an attacker with a moderate skill level would be able to exploit these vulnerabilities.

Siemens produced firmware updates that resolve this vulnerability for the listed hardware platforms. Siemens strongly recommends installing the updates as soon as possible.

Download the appropriate update from the following links:
Firmware Update Location (Scalance X414-3E).
Firmware Update Location (Scalance X308-2M, X-300EEC, XR-300, X-300).



Leave a Reply

You must be logged in to post a comment.