Yesterday DHS ICS-CERT published an advisory for the Siemens Simatic RF Manager. The advisory addresses an Active X component buffer overflow vulnerability self-identified by Siemens.
According to the advisory the vulnerability could be remotely exploitable, but would require a social engineering attack to cause an operator to visit a malicious web site using the Simatic RF Manager. A successful exploit could result in the execution of arbitrary code.
Siemens has produced a patch that is available through customer support.
Missed Siemens Reported Vulnerability
While researching this vulnerability I noticed that it appears that ICS-CERT has not yet reported a separate vulnerability reported by Siemens before Christmas. The Siemens CERT web page provides a link to a Siemens advisory on a denial-of-service vulnerability in the Siemens Simatic S7-1200 PLCs. Siemens reports that it is working on a fix for this problem.
Actually, this self-reported vulnerability would cause a bit of a problem for the ICS-CERT vulnerability reporting system. An ICS-CERT ‘alert’ is issued when there is an uncoordinated disclosure of a vulnerability to provide information while ICS-CERT works with the vendor on mitigating the vulnerability. An ICS-CERT ‘advisory’ is issued when mitigation measures are developed. There isn’t really a specific tool to report these types of self-reported vulnerabilities while mitigation measures are pending.
As more vendors take their security issue self-reporting responsibilities more seriously, this type of situation will become more common. ICS-CERT needs to address the situation.
BTW: Kudos to Siemens for self-reporting the unmitigated vulnerability and acknowledging the efforts of the independent researchers who identified them; Dr. Hartmut Pohl, softScheck GmbH and Arne Vidstrom, Swedish Defence Research Agency.