This morning the DHS ICS-CERT published an advisory for multiple vulnerabilities in a variety of Siemens HMI devices. The vulnerabilities were reported by the Quarkslab team and Ilya Karpov from Positive Technologies. Siemens has produced updates for most affected products (others are still in the works) but there is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.
The vulnerabilities are:
∙ Man-in-the-Middle - CVE-2015-1601;
∙ Resource exhaustion - CVE-2015-2822; and
∙ Use of password hash instead of password for authentication - CVE-2015-2823
ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to conduct man-in-the-middle attacks, denial‑of‑ service attacks, and possibly authenticate themselves as valid users depending on the vulnerability exploited.
With the large number of systems susceptible to these vulnerabilities I would suspect that they were only reported in one or two systems by the researchers. This would fit with the recent Siemens history of self-identifying vulnerabilities. If true Siemens is to be congratulated on their commitment improving the security of their systems. Some vendors recently identified with vulnerabilities in a portion of their product line would do well to emulate the Siemens model and proactively determine if the same vulnerability affects similar devices.
NOTE 1: It only took ICS-CERT a day to publish this advisory, they are getting better. My TWITTER followers will remember that this was announced yesterday morning my Siemens.
NOTE 2: Siemens appears to have developed a complicated internal method of determining when ‘enough’ systems have protections available to make it worthwhile to publish their advisories. We have seen this in a number of instances lately where ‘most’ of the affected systems have fixes in place and the other fixes come out over subsequent weeks and months. I hope that the researchers involved are aware of the risks that Siemens is taking with their more timely publication of vulnerabilities.