Today ICS-CERT published an advisory for an improper access control vulnerability in the Siemens’ interface cards used to connect workstations to PROFINET IO. The vulnerability was reported by Christopher Scheuring and Jürgen Bilberger from Daimler TSS GmbH in a coordinated disclosure.
ICS-CERT notes that a relatively low skilled attacker could remotely exploit this vulnerability to execute a DoS attack or execute arbitrary code. The Siemens security advisory for this vulnerability notes that the vulnerability is exploited by sending specially crafted packets to network port 17185/UDP. They recommend that the devices only be deployed on trusted networks.
Siemens has developed a firmware patch that closes the default debugging port that underlies the vulnerability. Once again ICS-CERT does not provide a comment that the firmware patch efficacy has been evaluated by the original researchers or ICS-CERT. Again, we are left to wonder if this is an editorial oversight or if there are questions about the effectiveness of the patch.
Siemens ProductCERT published an advisory on this vulnerability on February 13th and last updated it on February 18th. Here it is more than a month later and ICS-CERT is just now getting around to publishing their advisory.
Another Siemens Vulnerability
I don’t routinely check the Siemens ProductCERT web site unless there is an ICS-CERT report on a Siemens product; there are just too many web sites and so little time. Today I found another vulnerability reported bySiemens back in February that has yet to be acknowledged by ICS-CERT. This one has to do with multiple stack-based buffer overflow vulnerabilities in the OZW and OZS web servers for the Siemens building control systems. The vulnerabilities would allow DoS attacks and remote code execution.
These vulnerabilities wer reported by HD Moore of Rapid7. Actually the vulnerabilities exist in a third-party library (libupnp) for the UPnP protocol. Rapid7 has produced a Metasploit modules for some of the vulnerabilities. This is a standard procedure for Rapid7 to publish exploit code for the vulnerabilities that they identify after the vendor has had a chance to publish a fix for the vulnerability.
Since these vulnerabilities exist in a third-party application they may affect a large number of other products that use the UPnP protocol and the libupnp library.