Siemens Works to Clear SIMATIC Holes

Wednesday, November 23, 2016 @ 10:11 AM gHale


Siemens made new firmware versions available for several products and a temporary fix for the remaining affected products to mitigate vulnerabilities affecting SIMATIC CP 343-1 Advanced/CP-443-1 Advanced devices and SIMATIC S7-300/S7-400 CPUs, according to a report with ICS-CERT.

Inverse Path auditors and the Airbus ICT Industrial Security team reported these remotely exploitable vulnerabilities directly to Siemens.

RELATED STORIES
Lynxspring Recommends Software Upgrade
CA Technologies Plugs Hole
OSIsoft Mitigates PI System Issue
Siemens Privilege Escalation Hole

The vulnerabilities affect the following SIMATIC products:
• SIMATIC CP 343-1 Advanced: All versions prior to V3.0.53
• SIMATIC CP 443-1 Advanced: All versions
• SIMATIC S7-300 CPU family: All firmware versions
• SIMATIC S7-400 CPU family: All firmware versions

Under certain conditions, an attacker could use these vulnerabilities to perform operations as an authenticated user.

Siemens is a multinational company headquartered in Munich, Germany.

Communication Processor (CP) modules SIMATIC CP 343-1 Advanced and CP 443-1 Advanced are designed to enable SIMATIC S7-300/S7-400 CPUs to communicate via Ethernet.

Several critical infrastructure sectors deploy these products, including chemical, critical manufacturing, and food and agriculture. Siemens said these products see use on a global basis.

The integrated web server at Port 80/TCP or Port 443/TCP of the affected devices could allow remote attackers to perform actions with the permissions of an authenticated user, provided the targeted user has an active session and is induced to trigger the malicious request.

CVE-2016-8673 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

In addition, the integrated web server delivers cookies without the “secure” flag. Modern browsers interpreting the flag would mitigate potential data leakage in case of clear text transmission.

CVE-2016-8672 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.0.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill may be able to exploit these vulnerabilities.

Siemens provides firmware versions that fix the vulnerabilities and recommends users update to the fixed versions:
• SIMATIC CP 343-1 Advanced: Update to V3.0.53

For SIMATIC CP 443-1 Advanced devices, Siemens recommends the following mitigations:
• Restrict web server access to the internal network
• Use VPN for protecting network communication on the external network interface
• Follow operational guidelines

For SIMATIC S7-300/S7-400 CPUs, Siemens recommends the following mitigations:
• Apply cell protection concept
• Use VPN for protecting network communication between cells
• Apply Defense-in-Depth

Siemens recommends users protect network access to SIMATIC S7-300/S7-400 CPUs and to the web interface of SIMATIC CP 343-1 Advanced and CP 443-1 Advanced devices with appropriate mechanisms. Siemens also advises users configure the protected operational environment, according to Siemens’ Operational Guidelines for Industrial Security.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-603476.



Leave a Reply

You must be logged in to post a comment.