Over the last two days the folks at DHS ICS-CERT have
published advisories on two different Siemens Systems; on Thursday one for
Siemens Process Suite, and today one for Siemens Automation License Manager.
The first involves an ‘out-of-date’ Siemens’ acquired product, but it also
affects newer Wonderware InTouch systems. The second affects a wide range of
Siemens producs.
ProcessSuite Vulnerability
This poorly
encrypted password file vulnerability was reported by Seth Bromberger of
NCI Security, LLC and independent researcher Slade Griffin. A relatively low
skilled attacker with read-only access to the system could obtain login
information, including passwords, from an unencrypted .INI file and
subsequently log onto the system with administrator privileges.
The affected Siemens systems are no longer supported and
Siemens strongly recommends upgrading to a more recent HMI. The Wonderware
situation is not so clear from the Advisory. Early in the document (page 1) ICS-CERT
notes that Wonderware InTouch 2012 R2 and previous versions are affected. Later
(page 3) it notes that Invensys “recommends using Windows integrated security
features or migrating the HMI and OS to versions currently supported and then
install their security update”.
Of course earlier (page 1) ICS-CERT notes that Invensys “recommends
using Windows integrated security rather than the InTouch security subsystem
but has created a new patch to mitigate this vulnerability”, only there is no
patch for this vulnerability listed on the Invensys Cyber
Security Updates page. Oh well, it’s been a long week and I may be confused
easily.
Automation License Manager Vulnerability
It appears that the uncontrolled resource consumption
vulnerability reported in the second advisory was self-reported by Siemens; at
least no researchers were named in either the ICS-CERT
advisory or the Siemens ProductCert
advisory. All Siemens’ products using the vulnerable versions of ALM are
affected.
Siemens notes that specially crafted packets sent to TCP
Port 4410 can cause data leakage that can enable a denial of service attack.
The Siemens’ advisory that the Windows firewall should be configured to enable
access to this port only on the local subnet which should mean that an attacker
would have to have access to that subnet. If firewall is not properly
configured this would certainly be a remotely exploitable vulnerability.
Siemens does provide an updated version of ALM that
addresses this vulnerability.
Posts
No comments:
Post a Comment