Posts Tagged ‘SIMATIC’

Friday, March 21, 2014 @ 04:03 PM gHale

Siemens created a new product release that mitigates six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family, according to a report on ICS-CERT.

The SIMATIC S7-1200 CPU family, all versions prior to V4.0 are vulnerable to the remotely exploitable holes, discovered by Siemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov, and Alex Timorin.

RELATED STORIES
Sielco Sistemi Fixes Winlog Holes
Siemens Patches SIMATIC S7-1500 Holes
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes

The six vulnerabilities discovered in the SIMATIC S7-1200 CPU firmware may allow attackers to perform denial-of-service (DoS) attacks with specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. The integrated web server may also be vulnerable to cross-site request forgery (CSRF) and privilege escalation. The vulnerabilities could end up exploited over the network without authentication.

Siemens is a multinational company headquartered in Munich, Germany. Products in the Siemens SIMATIC S7-1200 PLC family mainly see use in discrete and continuous control in critical infrastructure sectors such as chemical, critical manufacturing, and food and agriculture.

The integrated web server (Port 80/TCP and Port 443/TCP) of the affected PLCs could allow CSRF attacks, compromising integrity and availability of the affected device, if social engineering ends up used to cause an unsuspecting user to click on a malicious link.

CVE-2014-2249 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

In the improper resource shutdown or release vulnerability, an attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets go to Port 443/TCP (HTTPS). A cold restart would end up required to recover the system.

CVE-2014-2258 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Because of low entropy in its random number generator, the integrated web server’s authentication method (Port 80/TCP and Port 443/TCP) could allow attackers to hijack web sessions over the network if the attacker can predict the session token.

CVE-2014-2250 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

With the improper resource shutdown or release vulnerability, an attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted PROFINET packets end up sent to the device. A cold restart would end up required to recover the system.

CVE-2014-2252 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.1.

An improper resource shutdown or release could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets are sent to Port 80/TCP (HTTP). A cold restart would end up required to recover the system.

CVE-2014-2254 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

An attacker could cause the device to go into defect mode, effectively causing a DoS, if specially crafted packets are sent to Port 102/TCP (ISO-TSAP). A cold restart would end up required to recover the system.

CVE-2014-2256 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities, but an attacker with a low to moderate skill would be able to exploit these vulnerabilities.

Siemens addresses all these issues in a security advisory.

Siemens provided SIMATIC S7-1200 CPU product release V4.0.0, which fixes the reported vulnerabilities. Click here for more details on the S7-1200 V4.0 release.

Monday, December 17, 2012 @ 03:12 PM gHale

There are mitigations available for a vulnerability that impacts the Siemens Automation License Manager (ALM), according to a report on ICS-CERT.

Siemens ProductCERT identified an uncontrolled resource consumption vulnerability in the Siemens ALM, which sees use in license management by various Siemens software products. Siemens has produced a software update that fully resolves this remotely exploitable vulnerability.

RELATED STORIES
Siemens, Invensys Mitigations
RuggedCom Releases New ROS Version
Siemens Patches WinCC Holes
Honeywell Fixes HMIWeb Browser Hole

An attacker could exploit this vulnerability which would allow loss of availability of the system.

All Siemens software products that include ALM versions between 4.0 and 5.2 suffer from the issue. The following product lines have the vulnerability:
• SIMATIC (e.g., STEP 7)
• SIMATIC HMI (e.g., WinCC, WinCC flexible)
• SIMATIC PCS 7
• SIMOTION (e.g., Scout)
• SIMATIC NET
• SINAMICS (e.g., Starter)
• SIMOCODE.

Attackers could exploit the vulnerability to cause memory leakage within the software, which could eventually lead to a crash of the application. The denial of service (DoS) of the ALM could lead to a DoS of associated devices that use the ALM to verify active licenses.

ALM centrally manages licenses for various Siemens software products. The products contact ALM either locally or remotely to verify their license using a proprietary protocol. To enable this license verification, ALM listens on Port 4410/TCP by default. These products deploy across several sectors including energy, healthcare, and others worldwide.

An attacker can send maliciously crafted packets to Port 4410/TCP, which will cause a memory leakage and uncontrolled resource consumption, leading to a DoS. CVE-2012-4691 is the number assigned to this vulnerability, which has CVSS v2 base score of 7.8.

An attacker with a low skill would be able to exploit this vulnerability.

Siemens has an update that resolves this vulnerability and it can apply to all versions of ALM starting with version 4.0. Siemens recommends users to contact Siemens customer support to acquire the update.

Siemens recommends blocking traffic to Port 4410/TCP from external and remote connections.

Thursday, September 20, 2012 @ 06:09 PM gHale

There is a mitigation available for Siemens’ insecure HTTPS certificate storage vulnerability in the S7-1200 v2.x, according to a report on ICS-CERT.

The remotely exploitable vulnerability affects the SIMATIC S7-1200 V2.x.

RELATED STORIES
ORing SCADA Line Vulnerability
SCADA Directory Traversal Vulnerability
Partial Fix on OPC Server Holes
Siemens Patches WinCC Holes
Honeywell Fixes HMIWeb Browser Hole

An attacker may obtain a private key of the S7-1200 certificate authority for HTTPS and use it to create a forged certificate that can then act in a Man-in-the-Middle attack.

Products in the Siemens SIMATIC S7-1200 programmable logic controller (PLC) family see use for process control in industrial environments such as manufacturing, power generation and distribution, food and beverages, and chemical industries worldwide.

The certificate authority (CA) for HTTPS connections, installed on Siemens SIMATIC S7-1200 PLC, stores its private key insecurely. This key sees use for signing certificates. Once obtaining the key, an attacker may create a forged certificate. This can then complete a Man-in-the-Middle attack on a browser that already trusts this device’s CA.

The PLC also has a private key used to dynamically generate its own certificate. This key is different from the CA private key and is not vulnerable to this attack. CVE-2012-3037 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3

Siemens recommends the user uninstall the CA signing keys from the Web browser’s certificate store. The procedure for performing this task is specific to each browser. Once this happens, warning messages will occur when attempting to connect to an S7-1200 PLC. The user can manually confirm the identity of the PLC and accept its certificate via the browser. This has to happen once for each S7-1200 PLC on the network.

Tuesday, July 31, 2012 @ 05:07 PM gHale

There is a denial-of-service (DoS) vulnerability that exists in the SIMATIC S7-400 V6 and SIMATIC S7-400 V5 PN CPU products. Siemens created a firmware update that mitigates the vulnerability affecting the S7-400 V6, according to a report on ICS-CERT.

Siemens will not fix the vulnerability that affects the S7-400 V5 because that product version has reached end-of-life and the company discontinued the line. Both vulnerabilities are susceptible to a remote attack.

RELATED STORIES
Siemens Patches Dll Hijacking Hole
Wonderware Patches Dll Hijack
OSIsoft Releases Vulnerability Fix
Tridium Holes Remotely Exploitable

Siemens said one of the vulnerabilities affects the following products within the S7-400 CPU family with firmware Versions 6.0.1 and 6.0.2
• CPU 412-2 PN (6ES7412-2EK06-0AB0)
• CPU 414-3 PN/DP (6ES7414-3EM06-0AB0)
• CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ES06-0AB0)
• CPU 416F-3 PN (6ES7416-3FS06-0AB0)

Another vulnerability affects the following products within the S7-400 CPU family with firmware Version 5:
• CPU 414-3 PN/DP (6ES7414-3EM05-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ER05-0AB0)
• CPU 416F-3 PN/DP (6ES7416-3FR05-0AB0)

When specially crafted packets come in via Ethernet interfaces by the SIMATIC S7-400, the device can default into defect mode. A PLC in defect mode needs to undergo a manual reset to return to normal operation. No known public exploits specifically target these vulnerabilities and an attacker with a low skill could exploit these vulnerabilities.

Siemens released security advisories that detail the vulnerabilities in the two versions of the SIMATIC S7-400 CPU and the recommended security practices to secure the systems.

Thursday, June 7, 2012 @ 12:06 PM gHale

There is an update available for the multiple vulnerabilities in the Siemens WinCC 7.0 SP3 web server and web applications.

The vulnerabilities came to light when independent researchers Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, Andrey Medov from Positive Technologies identified the holes, according to a report from ICS-CERT. In the process of analyzing the issues, Siemens found an additional vulnerability.

RELATED STORIES
Fix Available for DeltaV Holes
RuggedCom Fixes Vulnerability
Update Patches xArrow Holes
Measuresoft ScadaPro Upgrade

Siemens created an update that resolves all these remotely exploitable vulnerabilities except the buffer overflow in DiagAgent, which no longer receives support so users can mitigate the issue by disabling the service.

These vulnerabilities may allow an attacker to gain unauthorized access, read from, or write to files and settings on the target system.

Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. SIMATIC HMI performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use across industries such as food and beverage, water and wastewater, oil and gas, and chemical.

WinCC web applications are susceptible to reflected cross-site scripting because they do not filter out characters when parsing URL parameters. Exploitation of this vulnerability may give an attacker authenticated access to WinCC web applications. CVE-2012-2595 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Web applications do not filter out special characters when parsing URL parameters. An attacker may exploit this vulnerability to read or write settings on the system. CVE-2012-2596 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.5.

Web applications do not sanitize URL parameters. That means an authenticated attacker can read arbitrary files on the system. CVE-2012-2597 is the number assigned to this vulnerability, which has a CVSS V2 base score of 6.8.

The DiagAgent Web server is for remote diagnostic purposes and disabled by default. If enabled, the service does not sanitize user input correctly. Specially crafted input can crash the DiagAgent, disabling the remote diagnostic service. CVE-2012-2598 is the number assigned to this vulnerability, which has a CVSS V2 base score of 4.3.

A Web application accepts a parameter in a HTTP GET request and interprets it as a URL. The victim’s browser then can redirect to that URL. If a victim clicks on a link prepared by an attacker, the victim’s browser could go to a malicious Web site instead of the WinCC system. CVE-2012-3003 is the number assigned to this vulnerability, which has a CVSS V2 base score of 3.4.

While there are no known exploits specifically target these vulnerabilities, an attacker with a low skill would be able to take advantage of these vulnerabilities.

Siemens released a security advisory and produced an update that resolves all vulnerabilities except the buffer overflow in DiagAgent. The update is available in Update 2 for WinCC V7.0 SP3. Siemens recommends applying this patch as soon as possible.

Monday, November 28, 2011 @ 05:11 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
A hacker calling himself Pr0f demonstrated how he could easily hack into a SCADA system controlling the water utility at the City of South Houston.

Later, he explained how South Houston had an instance of the Siemens Simatic Human Machine Interface (HMI) software accessible from the Internet. What was particularly problematic was this connection was protected with an easy-to-hack, three-character password.

RELATED STORIES
Feds: No Cyber Intrusion at IL Water Plant
Water Utilities Breached
NJ Water Plant Victim of ‘Terrorism’
Water Utilities Breached
Three Legs to SCADA Security

Now while Pr0f has been obviously following the latest in hacking techniques, it is clear the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.

Passwords are a bad idea on many levels, starting with expecting people to remember strong passwords simply defies all understanding of human behavior.

As Michael Schrage outlined in his MIT Technology Review article, “The Password Is Fayleyure,” passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.

Numerous studies show when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so the successful guess of a single password means numerous devices can suffer from an attack.

The situation in process control environments is even worse.

Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords common to multiple devices.

This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.

During an analysis of an oil refinery, I discovered the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.

Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper “Password Memorability and Security: Empirical Results.” The authors showed security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):

“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.

“An example is the phrase “It’s 12 noon and I am hungry” which can be used to create the password “I’s12n&Iah”. Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”

It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.

Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Monday, November 21, 2011 @ 04:11 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
There was a cyber attack reported on the water SCADA system at the Curran-Gardner Township Public Water District, in Illinois. Now, it seems like a second water utility suffered from a hack attack. This time in the City of South Houston.

The incident first came to light in an Illinois state cyber fusion notice dated Nov. 10 and then security researcher Joe Weiss filed a blog on the event and shared some information with Wired Magazine and KrebsOnSecurity:

RELATED STORIES
Three Legs to SCADA Security
Standard for Security in Action at NSA
Survey: Users Abide by Security Policies
Roadmap for Energy Cyber Security

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia…

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

One thought is the attackers breached the IT systems of the company that either manages or makes the SCADA systems used at Curran-Gardner and stole customer usernames and passwords. The attackers then used this information to infiltrate the Curran-Gardner SCADA system.

The ink wasn’t dry on the news of the first attack when a hacker using the name “pr0f” or “@pr0f_srs” published information of a successful penetration of the South Houston Water Utility. This attacker used an unrelated technique to gain access to the water utility and then posted several screenshots of the control system on PasteBin.

Pr0f makes it very clear that his was not a malicious attack, only a proof-of-concept to show SCADA systems are very insecure:

“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive deleted) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done. So, y’know … the city of South Houston has a really insecure system. Wanna see? I know ya do.

“I’m not going to expose the details of the box. No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly.

“On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

Pr0f then wrote a second, very articulate article on PasteBin explaining why he did the attack. Pr0f makes some good points:

“It’s not as grim and war-like as the media are making it out to be, at all. ‘Cyber war’ and all of that is little more than hype, and I’d like to address that in a moment. But it is a sign that the security-poor institutional culture in automation needs changing, and needs changing fast…

“I would like to go on record and say that the main reason I did what I (did) yesterday was essentially because I know I am not the only person with an interest in these systems. I also know I am not the only person who has explored them and read up on them. However, at least I am going public(ish) and trying to draw attention to the topic…

“I don’t think I am alone in suggesting that the gravity of the problem is more serious than ICS-CERT and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.”

The sad fact is quite a few companies and industries are still not taking security seriously. Even these two incidents probably won’t be enough of a wakeup call for most companies. I hope it won’t take a disaster to get the SCADA users, vendors and government moving toward making our critical infrastructures more robust and secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Tuesday, September 13, 2011 @ 04:09 PM gHale

There is now a memory corruption vulnerability in the WinCC Runtime Advanced Loader, which is a component of Siemens SIMATIC WinCC flexible and TIA Portal.

Independent security researchers Billy Rios and Terry McCorkle found the vulnerability and is coordinating the issue with ICS-CERT and Siemens.

RELATED STORIES
ICS, SCADA Boot Camp 2.0
Symantec Hit with Multiple Vulnerabilities
Siemens PLC Analysis Report
SCADA Hacking via Search Engines

Siemens has not issued a patch to address this vulnerability, but the industrial automation giant has provided recommended mitigations to assist asset owners with protecting their systems. ICS-CERT originally released an advisory on Sept. 1, but delayed public notice to allow users sufficient time to download and install the update.

The following software packages are vulnerable: Siemens SIMATIC WinCC flexible Runtime, and Siemens SIMATIC WinCC (TIA Portal) Runtime Advanced.

If an attacker was successful exploiting this vulnerability, it may result in the ability to execute arbitrary code on the targeted human-machine interface system.

Siemens SIMATIC WinCC flexible and WinCC (TIA Portal) Runtime Advanced is a software package used for visualization and machines for small system operations. These products run on standard PCs or on Siemens panel PCs. This software sees use in industries such as food and beverage, water and wastewater, oil and gas, and chemical.

In terms of the vulnerability, the runtime loader does not properly sanitize inputs on 2308/TCP. A specially crafted packet can result in memory corruption, leading to a denial of service. Remote code execution may also be possible.

The vulnerability is remotely exploitable if a system has undergone configuration with the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader enabled.

Siemens will not patch this vulnerability. Disabled by default, the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader feature only sees use when updating firmware. Siemens has updated the product documentation to advise users to disable this feature except when it is active.

Siemens recommends their customers protect control systems according to Control Systems Security Program (CSSP) recommended security practices and they configure the environment according to the Siemens operational guidelines. Users should monitor network traffic to 2308/TCP and control traffic to the WinCC system.

Click here for Siemens Security Advisory.

 
 
Archived Entries