Today the DHS ICS-CERT published two control system security advisories for separate Siemens SIMATIC products. They also updated a third Siemens advisory that was originally reported on November 8th, 2016. These were reported by Siemens earlier on TWITTER (here, here and here).
Siemens SIMATIC CP 1543-1 Advisory
This advisory describes two vulnerabilities in the Siemens SIMATIC CP 1543-1 communications processor. The vulnerabilities were reported by SOGETI via Agence nationale de la sécurité des systèmes d’information (ANSSI). Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that SOGETI has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper input validation - CVE-2016-8561; and
• Improper privilege management - CVE-2016-8562
ICS-CERT reports that it would be difficult to craft a workable exploit of these vulnerabilities, but that they could be exploited remotely to elevate privileges on the affected devices or cause a denial-of-service condition. Siemens reports that: “Vulnerability 2 only applies if SNMPv1 is activated or SNMPv3 write access is activated.”
Siemens SIMATIC CP 343-1 Advisory
This advisory describes two vulnerabilities in multiple Siemens SIMATIC products. The vulnerabilities were reported by Inverse Path auditors and the Airbus ICT Industrial Security team. Siemens has produced a new firmware version for some of the affected products and a workaround to the others. There is no indication that either reporting agencies were provided an opportunity to verify the efficacy of the fix.
The reported vulnerabilities are:
• Insufficient verification of data authenticity - CVE-2016-8673; and
• Sensitive cookie in HTTPS session without secure attribute - CVE-2016-8672
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform operations as an authenticated user. Siemens reports that the first vulnerability would require a social engineering attack.
This update provides updated affected version data and mitigation information for WinCC v7.3.