SIMATIC S7-1200 CPU Holes Fixed

Friday, March 21, 2014 @ 04:03 PM gHale


Siemens created a new product release that mitigates six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family, according to a report on ICS-CERT.

The SIMATIC S7-1200 CPU family, all versions prior to V4.0 are vulnerable to the remotely exploitable holes, discovered by Siemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov, and Alex Timorin.

RELATED STORIES
Sielco Sistemi Fixes Winlog Holes
Siemens Patches SIMATIC S7-1500 Holes
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes

The six vulnerabilities discovered in the SIMATIC S7-1200 CPU firmware may allow attackers to perform denial-of-service (DoS) attacks with specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. The integrated web server may also be vulnerable to cross-site request forgery (CSRF) and privilege escalation. The vulnerabilities could end up exploited over the network without authentication.

Siemens is a multinational company headquartered in Munich, Germany. Products in the Siemens SIMATIC S7-1200 PLC family mainly see use in discrete and continuous control in critical infrastructure sectors such as chemical, critical manufacturing, and food and agriculture.

The integrated web server (Port 80/TCP and Port 443/TCP) of the affected PLCs could allow CSRF attacks, compromising integrity and availability of the affected device, if social engineering ends up used to cause an unsuspecting user to click on a malicious link.

CVE-2014-2249 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

In the improper resource shutdown or release vulnerability, an attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets go to Port 443/TCP (HTTPS). A cold restart would end up required to recover the system.

CVE-2014-2258 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Because of low entropy in its random number generator, the integrated web server’s authentication method (Port 80/TCP and Port 443/TCP) could allow attackers to hijack web sessions over the network if the attacker can predict the session token.

CVE-2014-2250 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

With the improper resource shutdown or release vulnerability, an attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted PROFINET packets end up sent to the device. A cold restart would end up required to recover the system.

CVE-2014-2252 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.1.

An improper resource shutdown or release could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets are sent to Port 80/TCP (HTTP). A cold restart would end up required to recover the system.

CVE-2014-2254 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

An attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets are sent to Port 102/TCP (ISO-TSAP). A cold restart would end up required to recover the system.

CVE-2014-2256 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities, but an attacker with a low to moderate skill would be able to exploit these vulnerabilities.

Siemens addresses all these issues in a security advisory.

Siemens provided SIMATIC S7-1200 CPU product release V4.0.0, which fixes the reported vulnerabilities. Click here for more details on the S7-1200 V4.0 release.



Leave a Reply

You must be logged in to post a comment.