Late this afternoon the DHS ICS-CERT published two advisories for vulnerabilities in the Siemens S7-1200 PLCs. One reports two separate improper input validation vulnerabilities and the other reports six separate vulnerabilities. All but one of the eight vulnerabilities were discovered and reported by outside researchers in coordinated disclosures. The remaining vulnerability was apparently discovered in-house.
Twin Vulnerability Advisory
This advisory describes two improper input validation vulnerabilities reported separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency (FOI). Siemens ProductCERT classifies these as ‘denial of service’ vulnerabilities and reports that access to the PLCs via their Ethernet network connections is required to exploit these vulnerabilities. The two vulnerabilities are:
• CVE-2013-2780, via Port 161/UDP (SNMP); and
• CVE-2013-0700, via Port 102/TCP (ISO-TSAP).
ICS-CERT notes that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause the system to go into the ‘defect mode’. Siemens reports that the devices would require manual resets after a successful attack. Joel Langill (@SCADAhacker) reported this evening: “I saw this PoC in operation firsthand … very impressive! Glad this was a good responsible disclosure. Hats off to the team.”
You can see by the CVE number that these vulnerabilities were initially reported last year. US-CERT originally reported them to the National Vulnerabilty Database (NVD) last April. Siemens published an earlier version of this advisory on December 20th, 2013. They revised it last month reflecting a better understanding of possible exploits for the second vulnerability. They published their most recent revision this morning, adding V4 to the list of potentially vulnerable iterations of the PLC firmware.
The latest version of the S7-1200 firmware (v4.0) mitigates these vulnerabilities. Siemens also recommends blocking traffic to Ports 102 and 161.
Six Vulnerability Advisory
This advisory reports six separate vulnerabilities affecting the S7-1200 PLCs reported by a variety of researchers. The vulnerabilities are:
• Cross-site request forgery, CVE-2014-2249, Port 80/TCP and Port 443/TCP, Siemens self-identified;
• Improper resource shutdown or release, CVE-2014-2258, Port 443/TCP, Ralf Spenneberg from OpenSource Training;
• Insufficient entropy, CVE-2014-2250, Port 80/TCP and Port 443/TCP, Alexander Timorin, Alexey Osipov from Positive Technologies;
• Improper resource shutdown or release, CVE-2014-2252, PROFINET packets, Alexander Timorin, Alexey Osipov from Positive Technologies;
• Improper resource shutdown or release, CVE-2014-2254, Port 80/TCP, Lucian Cojocar from EURECOM; and
• Improper resource shutdown or release, CVE-2014-2256, Port 102/TCP, Sascha Zinke from the FU Berlin’s work team SCADACS.
NOTE: These CVE numbers are not functioning yet.
NOTE: The ICS-CERT advisory gives the same CVE number for both the insufficient entropy vulnerability and the Profinet vulnerability. The Siemens ProductCERT provides the correct information shown here.
ICS-CERT reports that the vulnerabilities could be remotely exploited by a moderately skilled attacker. Four of the vulnerabilities could result in the device going into the ‘defect mode’, requiring a cold restart. The other two vulnerabilities could result in an attacker gaining control of a web session, compromising system integrity and access.
The latest version of the S7-1200 firmware (v4.0) corrects these vulnerabilities. Siemens reports in both of their advisories that v4.0 of the firmware must run on S7-1200 v4.0 CPU or higher. Upgrading to the newer CPU provides additional benefits that Siemens describes here.