ICS-CERT: Siemens Simatic WinCC Vulnerabilities

Tuesday, January 31, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

This advisory is a follow-up to a previous advisory titled “ICSA-11-356-01 – Siemens HMI Authentication Vulnerabilities” that was published December 22, 2011, on the ICS-CERT web page and an alert titled “ICS-ALERT-11-332-02A – Siemens SIMATIC WinCC Flexible Vulnerabilities” that was published December 2, 2011, on the ICS-CERT web page.

ICS-CERT has received reports from independent security researchers Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma detailing several vulnerabilities in Siemens Simatic WinCC Human-Machine Interface (HMI) application.

ICS-CERT has coordinated with these researchers and Siemens to validate these vulnerabilities and include mitigation strategies in the latest Siemens service packs.

AFFECTED PRODUCTS

According to Siemens, the following software packages are vulnerable:

• WinCC flexible versions 2004, 2005, 2007, 2008
• WinCC V11 (TIA portal)
• Multiple SIMATIC HMI panels (TP, OP, MP, Comfort Panels, Mobile Panels)
• WinCC V11 Runtime Advanced
• WinCC flexible Runtime.
The following related products are not affected:
• WinCC V11 (TIA Portal) Basic
• WinCC V11 (TIA Portal) Runtime Professional
• WinCC V6.x and V7.x.

IMPACT

Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process.

SIMATIC HMI performs the following tasks: process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical.

VULNERABILITIES OVERVIEW

1. INSECURE AUTHENTICATION TOKEN GENERATION

When a user (or administrator) logs on, the application sets predictable authentication token/cookie values. This can allow an attacker to bypass authentication checks and escalate privileges.

CVE-2011-4508 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 9.3.

2. WEAK DEFAULT PASSWORDS

The default administrator password is weak and easily brute forced. Siemens has changed the documentation to encourage users to change the password at first login.

CVE-2011-4509 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

3. CROSS-SITE SCRIPTING VULNERABILITIES

SIMATIC HMI Smart Options web server is vulnerable to two separate cross-site scripting attacks that may allow elevation of privileges, data theft, or service disruption.

CVE-2011-4510 and CVE-2011-4511 have been assigned to these vulnerabilities. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.

4. HEADER INJECTION VULNERABILITY

The HMI web server is vulnerable to header injection that may allow elevation of privileges, data theft, or service disruption. CVE-2011-4512 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.

5. CLIENT–SIDE ATTACK VIA SPECIALLY CRAFTED FILES

This vulnerability can allow an attacker to execute arbitrary code via specially crafted project files. This may require social engineering to get the operator to download the files and execute them. CVE-2011-4513 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

6. LACK OF TELNET DAEMON AUTHENTICATION

SIMATIC panels include a telnet daemon by default; however, the daemon does not include any authentication functions. CVE-2011-4514 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

7. STRING STACK OVERFLOW

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate the length of data segments and Unicode strings, which may cause a stack overflow. This vulnerability may lead to remote code execution.

CVE-2011-4875 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

8. DIRECTORY TRAVERSAL

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate incoming strings. This allows an attacker full access (read, write, and execute) to any file within the file system.

CVE-2011-4876 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

9. DENIALS OF SERVICE

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not sufficiently validate incoming data. Multiple vulnerabilities allow a denial-of-service (DoS) attack, which leads to a program crash.

CVE-2011-4877 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.1.

10.DIRECTORY TRAVERSAL

The HMI web server does not properly validate URLs within HTTP requests on Ports 80/TCP and 443/TCP. By manipulating URLs with encoded backslashes, directory traversal is possible. This allows an attacker read access for all files within the file system.

CVE-2011-4878 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.8.

11.ARBITRARY MEMORY READ ACCESS

The HMI web server does not properly validate HTTP requests. By manipulating the first byte within a URL, the server switches to a special interpretation of the URL. This allows an attacker to read the application process memory and perform a DoS attack by specifying invalid memory locations.

CVE-2011-4879 The HMI web server does not properly validate HTTP requests. By manipulating the first byte within a URL, the server switches to a special interpretation of the URL. This allows an attacker to read the application process memory and perform a DoS attack by specifying invalid memory locations.

VULNERABILITY DETAILS

EXPLOITABILITY

An attacker would need user interaction to exploit vulnerability #5. The remaining vulnerabilities can be exploited remotely.

EXISTENCE OF EXPLOIT

Publicly available exploits are known to specifically target vulnerabilities #1, #2, and #7 through #11. No known publicly available exploits specifically target vulnerabilities #3 through #6.

DIFFICULTY

These vulnerabilities would be very simple for a skilled attacker to exploit.
Exploiting vulnerability #5 requires social engineering to convince the user to accept and load the malformed file. This decreases the likelihood of a successful exploit.

MITIGATION

Each of the reported vulnerabilities has been addressed by Siemens, as follows:

• Insecure authentication token generation (#1), cross-site scripting (#3), header injection vulnerability (#4), HMI web server directory traversal (#10), and arbitrary memory read access vulnerabilities (#11). Patches are included in Siemens’ WinCC V11 (TIA Portal) SP2 Update 1 and WinCC flexible 2008 SP3.

• Weak default passwords (#2). Product documentation contained in WinCC V11 (TIA Portal) SP2 Update 1, and WinCC flexible 2008 SP3 has been updated to tell the user how to set a proper password during initial setup.

• Client-side attack via specially crafted files (#5), runtime loader string stack overflow (#7), runtime loader directory traversal (#8), runtime loader DoS (#9). Siemens recommends that users deactivate the transfer mode after device configuration, because the transport mode provides full access to the device.ee The transport mode was implemented under the assumption that the software would be running in a protected industrial environment. Siemens strongly recommends that users protect systems according to recommended security practices and configure the environment according to the operational guidelines.

• Lack of telnet daemon authentication (#6). and configure the environment according to the operational guidelines. As telnet is a clear text protocol, customers are advised to be aware of corresponding risks. Users have the option of disabling the telnet function on SIMATIC panels when telnet is not actively being used. The telnet daemon is disabled by default in product versions WinCC flexible 2008 SP3 and newer, as well as WinCC V11 (TIA Portal) SP2 and newer.

Neither ICS-CERT nor the researchers who discovered the vulnerabilities have validated that the Siemens mitigations successfully resolve the reported vulnerabilities.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf

Possibly Related Articles:
7521
SCADA
SCADA Vulnerabilities Exploits Headlines Cross Site Scripting Siemens Mitigation Privilege Escalation Programmable Logic Controllers Advisory ICS ICS-CERT Luigi Auriemma plc Billy Rios Terry McCorkle Shawn Merdinger
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.