Late this afternoon the DHS ICS-CERT published two
advisories for vulnerabilities in the Siemens S7-1200 PLCs. One reports two
separate improper input validation vulnerabilities and the other reports six separate
vulnerabilities. All but one of the eight vulnerabilities were discovered and
reported by outside researchers in coordinated disclosures. The remaining
vulnerability was apparently discovered in-house.
Twin Vulnerability
Advisory
This advisory describes
two improper input validation vulnerabilities reported separately by Prof. Dr.
Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research
Agency (FOI). Siemens ProductCERT
classifies these as ‘denial of service’ vulnerabilities and reports that
access to the PLCs via their Ethernet network connections is required to
exploit these vulnerabilities. The two vulnerabilities are:
• CVE-2013-2780,
via Port 161/UDP (SNMP); and
• CVE-2013-0700,
via Port 102/TCP (ISO-TSAP).
ICS-CERT notes that a relatively unskilled attacker could
remotely exploit these vulnerabilities to cause the system to go into the ‘defect
mode’. Siemens reports that the devices would require manual resets after a
successful attack. Joel Langill (@SCADAhacker)
reported this evening: “I saw this PoC in operation firsthand … very
impressive! Glad this was a good responsible disclosure. Hats off to the team.”
You can see by the CVE number that these vulnerabilities
were initially reported last year. US-CERT originally reported them to the
National Vulnerabilty Database (NVD) last April. Siemens published an earlier
version of this advisory on December 20th, 2013. They revised it
last month reflecting a better understanding of possible exploits for the
second vulnerability. They published their most recent revision this morning,
adding V4 to the list of potentially vulnerable iterations of the PLC firmware.
The latest version of the S7-1200 firmware (v4.0) mitigates
these vulnerabilities. Siemens also recommends blocking traffic to Ports 102
and 161.
Six Vulnerability
Advisory
This advisory reports
six separate vulnerabilities affecting the S7-1200 PLCs reported by a variety
of researchers. The vulnerabilities are:
• Cross-site request forgery, CVE-2014-2249,
Port 80/TCP and Port 443/TCP, Siemens self-identified;
• Improper resource shutdown or
release, CVE-2014-2258,
Port 443/TCP, Ralf Spenneberg from OpenSource Training;
• Insufficient entropy, CVE-2014-2250,
Port 80/TCP and Port 443/TCP, Alexander Timorin, Alexey Osipov from Positive
Technologies;
• Improper resource shutdown or
release, CVE-2014-2252,
PROFINET packets, Alexander Timorin, Alexey Osipov from Positive Technologies;
• Improper resource shutdown or
release, CVE-2014-2254,
Port 80/TCP, Lucian Cojocar from EURECOM; and
• Improper resource shutdown or
release, CVE-2014-2256,
Port 102/TCP, Sascha Zinke from the FU Berlin’s work team SCADACS.
NOTE: These CVE numbers are not functioning yet.
NOTE: The ICS-CERT advisory gives the same CVE number for
both the insufficient entropy vulnerability and the Profinet vulnerability. The
Siemens ProductCERT
provides the correct information shown here.
ICS-CERT reports that the vulnerabilities could be remotely
exploited by a moderately skilled attacker. Four of the vulnerabilities could
result in the device going into the ‘defect mode’, requiring a cold restart.
The other two vulnerabilities could result in an attacker gaining control of a
web session, compromising system integrity and access.
The latest version of the S7-1200 firmware (v4.0) corrects
these vulnerabilities. Siemens reports in both of their advisories that v4.0 of
the firmware must run on S7-1200 v4.0 CPU or higher. Upgrading to the newer CPU
provides additional benefits that Siemens describes here.
Posts
No comments:
Post a Comment