Siemens created a new version to mitigate an ActiveX vulnerability in its SIMATIC WinCC and SIMATIC PCS 7, according to a report with ICS-CERT.
This vulnerability ended up discovered by Mingzheng Li from Acorn Network Security Lab.
The vulnerability affects the following versions of SIMATIC:
• SIMATIC WinCC: All versions prior to SIMATIC WinCC V7.2
• SIMATIC PCS 7: All versions prior to SIMATIC PCS 7 V8.0 SP1
Exploitation of this vulnerability may allow an attacker to crash the component or leak application memory content.
Siemens is a multinational company headquartered in Munich, Germany.
The affected products are: SIMATIC WinCC, a supervisory control and data acquisition (SCADA) system; and SIMATIC PCS7, a distributed control system (DCS) integrating SIMATIC WinCC. These products see action across several sectors including chemical, energy, food and agriculture, and water and wastewater systems. Siemens said these products see use on a global basis.
In the vulnerability, an attacker could crash an ActiveX component or leak parts of the application memory if a user ends up tricked into clicking on a malicious link under certain conditions. An attacker must have control over a web site that can execute ActiveX components.
CVE-2016-9160 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user ends up falling for a social engineering tactic and clicks on a malicious link.
No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be difficult as social engineering would be mandatory to convince the user to click on the malicious link.
Siemens provided SIMATIC WinCC Version 7.2 and newer, and PCS7 Version 8.0 SP2 and newer, which fixes the vulnerability. Users can obtain these newer versions by contacting the local Siemens representative or customer support.
Until users can upgrade to the new versions, Siemens recommends the following mitigations to reduce the risk:
• Only allow execution of ActiveX components on trusted sites
• Apply defense-in-depth concepts
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-693129.
Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.