Siemens Default Password Issues

Friday, December 23, 2011 @ 10:12 AM gHale

There are authentication bypass vulnerabilities affecting Siemens SIMATIC HMI products where an attacker could gain access using default usernames and passwords.

SIMATIC HMI sees use in supervisory control and data acquisition/human-machine interface (SCADA/HMI) products, according to an ICS-CERT report. Systems running affected versions of this product are accessible using a default username and password. These systems also generate an insecure authentication token for browser sessions.

7-Technologies Vulnerability Part II
WellinTech’s Heap Overflow Hole
7-Technologies Patches Vulnerability
Wonderware Vulnerabilities Patched
Holes in Schneider Ethernet Module

Prior to public disclosure, researchers notified Billy Rios and Terry McCorkle ICS-CERT of the vulnerabilities. ICS-CERT is continuing to coordinate mitigations with the researchers and Siemens.

Siemens was previously aware of these vulnerabilities and intends to address them in Service Packs set to release in January. Siemens has also updated its product documentation with instructions for configuring a strong password and removing default passwords during initial setup.

The following software packages are vulnerable:

  • SmartAccess option package for SIMATIC WinCC flexible RT 2004, 2005, 2005 SP1, 2007, 2008, 2008 SP1, and 2008 SP2
  • SIMATIC WinCC Runtime Advanced V11, V11 SP1, and V11 SP2
  • Multiple SIMATIC Panels (TP, OP, MP, Mobile, Comfort)

Successful exploitation of these vulnerabilities could allow a hacker to log into a vulnerable system as a user or administrator.

The Siemens SIMATIC HMI product family sees use as an interface between operators and corresponding PLCs. SIMATIC HMI does the following tasks: Process visualization, operator control of the process, display of alarms, archiving of process values and alarms and management of machine parameters. This software sees use in multiple industries including: Food and beverage, water and wastewater, oil and gas, and chemical.

The authentication token/cookie values set when a user (administrator) logs are predictable when using non-encrypted HTTP communication. This can allow for an attacker to bypass authentication checks and escalate privileges.

CVE-2011-4508 is the number assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates an overall CVSS Score of 6.5.

There is a default administrator password, which is weak and easily bruteforced or guessed. Siemens changed the documentation to encourage the user to change the password upon first login. CVE-2011-4509 is the number assigned to this vulnerability.

This vulnerability can suffer a remote attack against installations that are not following security practices recommended by Siemens and ICS-CERT. It would be very simple to exploit the default password, it would require a greater amount of work and knowledge to exploit the insecure token generation vulnerability.

Siemens will take care of the authentication token generation vulnerability in its “SIMATIC WinCC V11.0 SP 2 Update 1,” which will release January 13, or “SIMATIC WinCC flexible 2008 SP3” which will release January 18.

An update in product documentation tells the user how to set a proper password during initial setup to remove the risk of the default password vulnerability. Siemens has published a statement on their Industrial Security web pages that addresses these issues.

Leave a Reply

You must be logged in to post a comment.