Siemens S7-1200 PLC
Well the ICS security community has been waiting for this Alert since May 19th when Dillon Beresford pulled his Siemens vulnerability talk at Takedown. We have been hearing talk about an FOUO version of this alert for the last couple of days, but now we have a ‘properly sanitized’ version for public consumption. The Alert notes that “ICS-CERT and Siemens have confirmed that these vulnerabilities [reported by Dillon] could allow an attacker with automation network access to execute various unauthorized commands against the S7-1200 PLC”.
The Alert goes on to say that today Siemens published “a Security Advisory and patch to address a portion of the reported vulnerabilities [emphasis added]”. Both the advisory and patch are available on the Siemens web site. The ICS-CERT Alert also includes the following additional mitigation measures:
• ICS-CERT and Siemens recommend that customers disable the embedded web server in TIA Portal Version 11 if it is not critical to operations.There are an awful lot of qualifiers in those recommendations. That seems to indicate that ICS-CERT doesn’t really think that it will probably be practical to implement all of the suggested security measures. Oh well, we didn’t really want secure control systems did we?
• ICS-CERT and Siemens recommend that customers apply a properly configured, strong password. The same password should not be reused across the automation network, where possible.
• Apply defense-in-depth strategies for both enterprise and control system networks;
• Restrict connections between the enterprise and control system networks, where possible.
• Restrict remote access to enterprise and control system networks and diligently monitor any remote connections allowed; employ Virtual Private Network (VPN) connections for any remote system access.
More interestingly, this alert does not provide even a general description of the vulnerabilities that were ‘patched’ in this initial Siemens response. I understand the reluctance to describe the un-patched vulnerabilities, but not providing a generic description of the patched vulnerabilities makes one think that the patch is not really that successful.
Rockwell RSLinx Classic Advisory
This Advisory comes via the CERT Coordination Center and it concerns a program bundled with Rockwell’s RSLinx Classic, the Electronic Data Sheet (EDS) Hardware Installation Tool. The buffer overflow vulnerability in that tool could allow an attacker to execute arbitrary code that could be used to “subvert any other security service” (an interesting new phrase for an ICS-CERT advisory).
The Advisory notes that this attack would require an authorized user to load a malformed EDS file. This would, according to the advisory, not allow the attacker to “initiate the exploit from a remote machine”. That may be technically true, except that the spear phishing or other social engineering attack that tricked the user into loading the compromised file could certainly be sent from a remote machine.
Rockwell does have a patch available and ICS-CERT provides links to two documents that contain information about spear phishing and other social engineering attacks.
BTW: The ICS vulnerability numbering system gets a little annoying here. Both of these vulnerabilities have the same number (11-161-01) with different prefixes (‘ICSA’ and ‘ICS – Alert’). With just a quick glance one might assume that they are the same document. We are supposed to be more alert than that, but I wouldn’t have designed the numbering system this way.