Yesterday ICS-CERT published two ICS advisories; a follow-up to an earlier alert concerning a vulnerability in WellinTech KingView application and a Siemens S7-1200 PLC vulnerability.
The WellinTech advisory is an update of an earlier alert on an uncoordinated disclosure made by Dr. Wesley McGrew of Mississippi State University. Dr. McGrew reported at DEFCON 20 that user credentials were not securely hashed, allowing usernames and passwords to decrypted using a simple mathematical algorithm.
This advisory reports that a relatively low skilled attacker with access to the publicly available exploit can obtain usernames and passwords to gain access to systems. WellinTech has created a patch that increases the complexity of the password encryption algorithm. The advisory does not report that ICS-CERT or Dr. McGrew has confirmed the efficacy of the patch.
Monday Siemens published an advisory based upon a coordinated disclosure by Positive Technologies of a cross-site scripting vulnerability in the S7-1200 Web Application Module; today ICS-CERT published their advisory based upon the Siemens report.
According to Siemens the S7-1200 PLCs have an embedded web server that can be enabled by the user. If a social engineering attack convinces a user to access a malicious web site the attacker “could manipulate what the browser displays when viewing the S7-1200’s web pages, steal session cookies, or redirect the user’s browser to a malicious web site”.
Siemens has developed a firmware update that is available through their regional Technical Support Centers. The ICS-CERT advisory does not confirm that the update mitigates the vulnerability.
Another Siemens Vulnerability
The Siemens security website lists another vulnerability published yesterday. It refers to a buffer overflow vulnerability in the SiPass integrated access control system. I would suppose the reason that this was not reported by ICS-CERT is that the system is not a ‘real’ control system in that it doesn’t control any industrial processes. Owners of such systems would, however, certainly be interested in a vulnerability that would allow an attacker to conduct a denial of service attack on a security system. Siemens has produced a hot fix for this vulnerability that is available through customer service.