Posts Tagged ‘SIMATIC’
Monday, December 17, 2012 @ 03:12 PM gHale
There are mitigations available for a vulnerability that impacts the Siemens Automation License Manager (ALM), according to a report on ICS-CERT.
Siemens ProductCERT identified an uncontrolled resource consumption vulnerability in the Siemens ALM, which sees use in license management by various Siemens software products. Siemens has produced a software update that fully resolves this remotely exploitable vulnerability.
RELATED STORIES
Siemens, Invensys Mitigations
RuggedCom Releases New ROS Version
Siemens Patches WinCC Holes
Honeywell Fixes HMIWeb Browser Hole
An attacker could exploit this vulnerability which would allow loss of availability of the system.
All Siemens software products that include ALM versions between 4.0 and 5.2 suffer from the issue. The following product lines have the vulnerability:
• SIMATIC (e.g., STEP 7)
• SIMATIC HMI (e.g., WinCC, WinCC flexible)
• SIMATIC PCS 7
• SIMOTION (e.g., Scout)
• SIMATIC NET
• SINAMICS (e.g., Starter)
• SIMOCODE.
Attackers could exploit the vulnerability to cause memory leakage within the software, which could eventually lead to a crash of the application. The denial of service (DoS) of the ALM could lead to a DoS of associated devices that use the ALM to verify active licenses.
ALM centrally manages licenses for various Siemens software products. The products contact ALM either locally or remotely to verify their license using a proprietary protocol. To enable this license verification, ALM listens on Port 4410/TCP by default. These products deploy across several sectors including energy, healthcare, and others worldwide.
An attacker can send maliciously crafted packets to Port 4410/TCP, which will cause a memory leakage and uncontrolled resource consumption, leading to a DoS. CVE-2012-4691 is the number assigned to this vulnerability, which has CVSS v2 base score of 7.8.
An attacker with a low skill would be able to exploit this vulnerability.
Siemens has an update that resolves this vulnerability and it can apply to all versions of ALM starting with version 4.0. Siemens recommends users to contact Siemens customer support to acquire the update.
Siemens recommends blocking traffic to Port 4410/TCP from external and remote connections.
Tuesday, July 31, 2012 @ 05:07 PM gHale
There is a denial-of-service (DoS) vulnerability that exists in the SIMATIC S7-400 V6 and SIMATIC S7-400 V5 PN CPU products. Siemens created a firmware update that mitigates the vulnerability affecting the S7-400 V6, according to a report on ICS-CERT.
Siemens will not fix the vulnerability that affects the S7-400 V5 because that product version has reached end-of-life and the company discontinued the line. Both vulnerabilities are susceptible to a remote attack.
RELATED STORIES
Siemens Patches Dll Hijacking Hole
Wonderware Patches Dll Hijack
OSIsoft Releases Vulnerability Fix
Tridium Holes Remotely Exploitable
Siemens said one of the vulnerabilities affects the following products within the S7-400 CPU family with firmware Versions 6.0.1 and 6.0.2
• CPU 412-2 PN (6ES7412-2EK06-0AB0)
• CPU 414-3 PN/DP (6ES7414-3EM06-0AB0)
• CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ES06-0AB0)
• CPU 416F-3 PN (6ES7416-3FS06-0AB0)
Another vulnerability affects the following products within the S7-400 CPU family with firmware Version 5:
• CPU 414-3 PN/DP (6ES7414-3EM05-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ER05-0AB0)
• CPU 416F-3 PN/DP (6ES7416-3FR05-0AB0)
When specially crafted packets come in via Ethernet interfaces by the SIMATIC S7-400, the device can default into defect mode. A PLC in defect mode needs to undergo a manual reset to return to normal operation. No known public exploits specifically target these vulnerabilities and an attacker with a low skill could exploit these vulnerabilities.
Siemens released security advisories that detail the vulnerabilities in the two versions of the SIMATIC S7-400 CPU and the recommended security practices to secure the systems.
Monday, November 28, 2011 @ 05:11 PM gHale
Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
A hacker calling himself Pr0f demonstrated how he could easily hack into a SCADA system controlling the water utility at the City of South Houston.
Later, he explained how South Houston had an instance of the Siemens Simatic Human Machine Interface (HMI) software accessible from the Internet. What was particularly problematic was this connection was protected with an easy-to-hack, three-character password.
RELATED STORIES
Feds: No Cyber Intrusion at IL Water Plant
Water Utilities Breached
NJ Water Plant Victim of ‘Terrorism’
Water Utilities Breached
Three Legs to SCADA Security
Now while Pr0f has been obviously following the latest in hacking techniques, it is clear the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.
Passwords are a bad idea on many levels, starting with expecting people to remember strong passwords simply defies all understanding of human behavior.
As Michael Schrage outlined in his MIT Technology Review article, “The Password Is Fayleyure,” passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.
Numerous studies show when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so the successful guess of a single password means numerous devices can suffer from an attack.
The situation in process control environments is even worse.
Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords common to multiple devices.
This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.
During an analysis of an oil refinery, I discovered the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.
Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper “Password Memorability and Security: Empirical Results.” The authors showed security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):
“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.
“An example is the phrase “It’s 12 noon and I am hungry” which can be used to create the password “I’s12n&Iah”. Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”
It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.
Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.
Monday, November 21, 2011 @ 04:11 PM gHale
Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
There was a cyber attack reported on the water SCADA system at the Curran-Gardner Township Public Water District, in Illinois. Now, it seems like a second water utility suffered from a hack attack. This time in the City of South Houston.
The incident first came to light in an Illinois state cyber fusion notice dated Nov. 10 and then security researcher Joe Weiss filed a blog on the event and shared some information with Wired Magazine and KrebsOnSecurity:
RELATED STORIES
Three Legs to SCADA Security
Standard for Security in Action at NSA
Survey: Users Abide by Security Policies
Roadmap for Energy Cyber Security
“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia…
“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”
One thought is the attackers breached the IT systems of the company that either manages or makes the SCADA systems used at Curran-Gardner and stole customer usernames and passwords. The attackers then used this information to infiltrate the Curran-Gardner SCADA system.
The ink wasn’t dry on the news of the first attack when a hacker using the name “pr0f” or “@pr0f_srs” published information of a successful penetration of the South Houston Water Utility. This attacker used an unrelated technique to gain access to the water utility and then posted several screenshots of the control system on PasteBin.
Pr0f makes it very clear that his was not a malicious attack, only a proof-of-concept to show SCADA systems are very insecure:
“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive deleted) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done. So, y’know … the city of South Houston has a really insecure system. Wanna see? I know ya do.
“I’m not going to expose the details of the box. No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly.
“On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”
Pr0f then wrote a second, very articulate article on PasteBin explaining why he did the attack. Pr0f makes some good points:
“It’s not as grim and war-like as the media are making it out to be, at all. ‘Cyber war’ and all of that is little more than hype, and I’d like to address that in a moment. But it is a sign that the security-poor institutional culture in automation needs changing, and needs changing fast…
“I would like to go on record and say that the main reason I did what I (did) yesterday was essentially because I know I am not the only person with an interest in these systems. I also know I am not the only person who has explored them and read up on them. However, at least I am going public(ish) and trying to draw attention to the topic…
“I don’t think I am alone in suggesting that the gravity of the problem is more serious than ICS-CERT and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.”
The sad fact is quite a few companies and industries are still not taking security seriously. Even these two incidents probably won’t be enough of a wakeup call for most companies. I hope it won’t take a disaster to get the SCADA users, vendors and government moving toward making our critical infrastructures more robust and secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.
Tuesday, September 13, 2011 @ 04:09 PM gHale
There is now a memory corruption vulnerability in the WinCC Runtime Advanced Loader, which is a component of Siemens SIMATIC WinCC flexible and TIA Portal.
Independent security researchers Billy Rios and Terry McCorkle found the vulnerability and is coordinating the issue with ICS-CERT and Siemens.
RELATED STORIES
ICS, SCADA Boot Camp 2.0
Symantec Hit with Multiple Vulnerabilities
Siemens PLC Analysis Report
SCADA Hacking via Search Engines
Siemens has not issued a patch to address this vulnerability, but the industrial automation giant has provided recommended mitigations to assist asset owners with protecting their systems. ICS-CERT originally released an advisory on Sept. 1, but delayed public notice to allow users sufficient time to download and install the update.
The following software packages are vulnerable: Siemens SIMATIC WinCC flexible Runtime, and Siemens SIMATIC WinCC (TIA Portal) Runtime Advanced.
If an attacker was successful exploiting this vulnerability, it may result in the ability to execute arbitrary code on the targeted human-machine interface system.
Siemens SIMATIC WinCC flexible and WinCC (TIA Portal) Runtime Advanced is a software package used for visualization and machines for small system operations. These products run on standard PCs or on Siemens panel PCs. This software sees use in industries such as food and beverage, water and wastewater, oil and gas, and chemical.
In terms of the vulnerability, the runtime loader does not properly sanitize inputs on 2308/TCP. A specially crafted packet can result in memory corruption, leading to a denial of service. Remote code execution may also be possible.
The vulnerability is remotely exploitable if a system has undergone configuration with the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader enabled.
Siemens will not patch this vulnerability. Disabled by default, the WinCC flexible Runtime Loader and WinCC (TIA Portal) Runtime Advanced Loader feature only sees use when updating firmware. Siemens has updated the product documentation to advise users to disable this feature except when it is active.
Siemens recommends their customers protect control systems according to Control Systems Security Program (CSSP) recommended security practices and they configure the environment according to the Siemens operational guidelines. Users should monitor network traffic to 2308/TCP and control traffic to the WinCC system.
Click here for Siemens Security Advisory.