This morning the DHS ICS-CERT published another advisory
for twin vulnerabilities in the Siemens SIMATIC STEP 7 TIA Portal. Each
advisory was separately discovered by Quarkslab team and Dmitry Sklyarov with
PT-Security. Siemens has produced a patch to mitigate the vulnerabilities, but
there is no indication that either research team has been given the opportunity
to verify the efficacy of the patch.
The two vulnerabilities are:
● Man-in-the Middle vulnerability -
CVE-2015-1601;
and
● Use of password with insufficient
computational effort - CVE-2015-1602
ICS-CERT reports that it would be moderately difficult to
construct a workable exploit for these two vulnerabilities. Siemens reports
that access to the network path between client and server would be required for
the first vulnerability and access to TIA project files would be required for
the second.
Why Siemens
At some point we have to wonder why we are seeing so many
Siemens advisories. In many cases (but certainly not even most) the answer is
self-reporting and that is a mark of a current commitment to security. But
sooooo many vulnerabilities, surely that is the sign of a basic problem?
Yes, there were certainly problems with the way that most of
these programs were originally written. The mistakes we are seeing seem so
basic now, but that is because we have been seeing them throughout the industry
for the last few years. Siemens is not paying for the mistakes that they and
most of the rest of the industry made back when security was a ‘non-issue’
because control systems were air gapped and so hard to understand.
Siemens is now facing much the same problem that Micrsoft
faced twenty years ago. Because of their size, familiarity and availability,
researchers around the world are taking a hard look at Siemens products,
knowing that they are going to find vulnerabilities. It many not be quite
shooting fish in a barrel, but it is certainly fishing in a freshly stocked
pond.
Many of these researchers are going to start to move on to
the other suppliers in the field using the skills they honed on working on
Siemens gear. There will be more advisories for other vendors and people will
laugh at how easy they were to find; unless the other vendors internalize the
searches and fix them before the researchers find them.
And the Siemens advisories will continue. Siemens makes ever
more complex products; with more and more capabilities. Mistakes will be made.
More importantly researchers (of whatever hat color) are also getting more and
more sophisticated. They will find new types of vulnerabilities that we have
not even thought about yet. Security designers and researchers will continue to
be locked in a war of improving capabilities. And we users; we will be better
for it.
Posts
No comments:
Post a Comment