Some weeks it seems that everyday there is a new set of advisories from DHS ICS-CERT; this is one of those weeks. Today ICS-CERT published advisories for Siemens WinCC and the Morpho Itemizer. Oh, and they missed listing the Morpho advisory on both the landing page and the Advisories page; they did tweet about it though. When you get busy, mistakes happen unless you have good administrative controls in place.
This advisory is based upon coordinated disclosures from an anonymous researcher and a separate report from Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai of Positive Technologies. Siemens has prepared an update that is reported to mitigate the multiple vulnerabilities, but there is no indication that the researchers have had a chance to verify the efficacy of the fix.
The vulnerabilities include:
• Forced browsing - CVE-2014-4682 – could allow unauthenticated access to data;
• Session fixation - CVE-2014-4683 – could allow remote privilege escalation;
• Improper privilege management - CVE-2014-4684 – could allow database privilege escalation;
• Permissions, privileges and access control - CVE-2014-4685 – could allow local user to escalate their privileges; and
• Hard-coded cryptographic key - CVE-2014-4686 – cold allow privilege escalation.
ICS-CERT reports that a low-to-moderately skilled attacker could remotely (except CVE-2014-4685) exploit these vulnerabilities. Siemens reports that they have produced an update that mitigates the vulnerabilities in WinCC and expect an update for Simatic PCS7 next month. In addition they suggest the following actions be taken until a hard fix can be established:
• Limit the WebNavigator server access to trusted networks/clients only
• Ensure that the WebNavigator clients authenticate themselves against the WebNavigator server (e.g. use client certificates)
• Restrict access to the WinCC database server at port 1433/tcp to trusted entities
• Deactivate all unnecessary OS users on WinCC server
• Run WinCC server and engineering stations within a trusted network, or
• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. establish a VPN tunnel).
This advisory looks at a single hard-coded-credential vulnerability reported by Billy Rios and Terry McCorkle. ICS-CERT reports that: “Morpho has decided not to address this vulnerability at this time.” Since the Itemizer® 3 is not strictly speaking an industrial control system (it’s an analytical system controller) it could look like this is no big thing. It could, however, have an effect on police investigations that would rely on these pieces of equipment to identify drug and explosives trace evidence. A cyber savvy defense attorney could use this uncorrected vulnerability to cause a judge to question the validity of test data from this machine and potentially reverse a drug or explosives conviction or the use of the evidence in court.
ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to gain administrative access to the system. Not much you can’t do once you have that access.