ICS-CERT Publishes 5 Siemens Advisory and an Update

Yesterday the DHS ICS-CERT published five new advisories for various Siemens control system products and updated their supplement to the NTP advisory. All six documents were based upon reports that Siemens issued yesterday.

NTP Supplement Update

This update reflects new information that Siemens released on the NTP Vulnerability reported in its RuggedCom ROX based devices;  a new version of ROX 2 has been released that mitigates the vulnerability in those devices. Additionally Siemens reported that this vulnerability also affects their SINUMERIK controllers; an upgrade is available to mitigate the vulnerability in this product.

SPCanywhere Application Advisory

This advisory describes multiple vulnerabilities reported in the SPCanywhere mobile application. The vulnerabilities were originally reported by Karsten Sohr, Bernhard Berger, and Kai Hillmann from the TZI-Bremen, Kim Schlyter, Seyton Bradford, and Richard Warren from FortConsult, and Stefan Schuhmann. Siemens has produced a new mobile application (SPC Connect) that mitigates these vulnerabilities. There is no indication that the researchers have been given a chance to verify the efficacy of the fix in the new application.

The vulnerabilities include:

● Missing encryption of sensitive data - CVE-2015-1595 and CVE-2015-1596;

● Improper cross-boundary removal of sensitive data - CVE-2015-1597

● Storing passwords in recoverable format - CVE-2015-1598

● Authentication bypass using alternate path - CVE-2015-1599

ICS-CERT reports that some of these vulnerabilities could be remotely exploited by a relatively low skilled attacker while others might require more skill and/or local access. Siemens reports that the last two vulnerabilities require physical access while the other only requires a “privileged network position to be able to control network traffic”.

As far as I can tell this is the first time that ICS-CERT has issued an advisory for a mobile application. As more of these applications come into use for remote access to industrial control systems I expect that we will be seeing more of these advisories.

S7-300 Advisory

This advisory describes a DOS vulnerability in the Siemens SIMATIC S7-300 CPUs. The vulnerability was reported by Johannes Klick, Christian Pfahl, Martin Gebert, and Lucas Jacob from Freie Universität Berlin’s work team SCADACS. Siemens reports a mitigation technique to resolve this vulnerability. There is no indication that the researchers have verified the efficacy of this fix.

ICS-CERT reports that the vulnerability is remotely exploitable, but that an exploit would be difficult to craft. Siemens reports that, in addition to standard network protections, read/write protections should be applied to the system to mitigate the vulnerability. There is no mention by either ICS-CERT or Siemens of any intention to provide a more effective fix.

An interesting TWEET from Michael Toecker focuses on the mention of the role of Profibus in this vulnerability; he asks: “Who else uses the same Profibus stack?” Control systems use lots of different applications. When an application vulnerability affects one system the question is always going to be if the same vulnerability affects other systems. Researchers/hackers routinely use this type information to look for vulnerabilities in other systems.

SPC Controller Advisory

This advisory describes a DOS vulnerability in Siemens SPC Controllers (a hybrid physical intrusion detection and access control system). The vulnerability was reported by Davide Peruzzi of GoSecure!. Siemens has produced a firmware update that mitigates the vulnerability but there is no indication that Davide has been given an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to effect a denial of service attack. Siemens reports that network access is required and that the web interface must be enabled.

SIMATIC Advisory

This advisory describes a search path vulnerability in various SIMATIC products. The vulnerability was reported by Ivan Sanchez from WiseSecurity Team. Siemens has produced updates for most of the affected products, but there is no indication that Ivan has been afforded the opportunity to verify the efficacy of the fixes. Additional mitigation steps have been provided pending updates of the other products.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability. They claim that the vulnerability is not remotely exploitable, but mention that arbitrary code from files on network shares could be executed based upon a social engineering attack; a classic remote exploit technique.

GHOST Advisory

This advisory describes the Siemens systems affected by the GHOST vulnerability in the glibc library. Siemens is apparently self-reporting this vulnerability. Siemens has produced an update for one of the two systems affected. Additionally they report that a third system may be vulnerable depending on the installation configuration used; the default configuration is not affected.

ICS-CERT reports that a relatively low skilled attacker with local network access could exploit this vulnerability to effect a denial of service attack. ICS-CERT notes that there is no known Siemens specific exploit available for this vulnerability, but that there are publicly available exploits for other systems.