Today the DHS ICS-CERT published advisories for multiple vulnerabilities in three separate products from Siemens; Scalance, WinCC and COMOS. While the vulnerabilities in WinCC were reported by Alexander Tlyapov of Positive Technologies, the remaining vulnerabilities were identified internally.
The vulnerabilities include (Note: links on product names are to the respective Siemens ProductCERT report):
• SQL injection: CVE-2013-3957;
• Hard-coded credentials: CVE-2013-3958;
• Forced browsing: CVE-2013-3959; and
• Permissions, privileges, and access controls: CVE-2013-3927
ICS-CERT reports that a relatively low skilled attacker could exploit these vulnerabilities. The Scalance and WinCC vulnerabilities could be exploited remotely, but the COMOS vulnerability requires local access by an authenticated user. The Scalance vulnerabilities would allow an attacker to execute arbitrary commands. The WinCC vulnerabilities could allow an attacker to gain full system access. The COMOS vulnerability would allow an attacker to gain full access to information stored in the COMOS library.
Software updates have been developed by Siemens for all three products. Siemens ProductCERT has verified that the modifications mitigate the vulnerabilities (Note: I would have been happier to hear that Alexander Tlyapov had been asked to validate the WinCC update) . The updates can be found at the below listed links:
• WinCC; and
The Siemens’ ProductCERT web page provides data on when these vulnerabilities were published by that organization (Scalance 5-24-13; Win CC 6-14-13; and COMOS 6-18-13). The same day publication of the COMOS vulnerability by ICS-CERT is pretty impressive; the three week delay for the Scalance program is not so much.