Siemens released an update in its SIMATIC Sm@rtClient Android App to fix man-in-the-middle and an authentication bypass using an alternate path or channel vulnerabilities, according to a report with ICS-CERT.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Karsten Sohr and Timo Glander from TZI at the University of Bremen, could allow an attacker in a privileged network position to read and modify data within a Transport Layer Security TLS session.
The vulnerabilities affect the following SIMATIC Sm@rtClient Android apps for remote operation and monitoring of SIMATIC HMI systems:
• SIMATIC WinCC Sm@rtClient for Android: All versions prior to V18.104.22.168
• SIMATIC WinCC Sm@rtClient Lite for Android: All versions prior to V22.214.171.124
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, the existing TLS protocol implementation could allow an attacker to read and modify data within a TLS session while performing a man-in-the-middle attack. This vulnerability affects only SIMATIC WinCC Sm@rtClient for Android.
CVE-2017-6870 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.4.
In addition, an attacker with physical access to an unlocked mobile device that has the affected app running could bypass the app’s authentication mechanism under certain conditions. SIMATIC WinCC Sm@rtClient Lite for Android is only affected by this vulnerability.
CVE-2017-6871 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6.
The product sees action in the chemical, energy, food and agriculture, and water and wastewater systems sectors. It also sees use on a global basis.
Munich, Germany-based Siemens released SIMATIC WinCC Sm@rtClient V126.96.36.199 for Android to address these vulnerabilities and recommends updating as soon as possible. Updates will be installed automatically if the mobile device is configured accordingly. If the update does not install automatically, users can find the latest version at the Google Play Store.
It is advised to configure the environment according to operational guidelines.
For more information on these vulnerabilities and more detailed mitigation instructions, click on Siemens Security Advisory SSA-589378.