Your one-stop web resource providing safety and security information to manufacturers

Siemens has a software update to handle a cross-site scripting (XSS) vulnerability in its WebSDKcomponent of Spectrum Power 3, 4, 5 and 7, according to a report with Siemens ProductCERT.

Ismail Mert AY AK from Biznet Bilisim A.S. and the CISA-Industrial Control System Vulnerability Disclosure team discovered the issue.

RELATED STORIES
Siemens Updates TIA Portal Issue
Siemens Addresses ZombieLoad Issues
Siemens Fixes TLS SIMATIC Holes
Siemens Handline SIMATIC Code Upload Hole

The vulnerability affects:
• Spectrum Power 3 (Corporate User Interface), all versions before and including v3.11, the remediation is to contact Siemens Energy Customer Support Center or your local Siemens representative.
• Spectrum Power 4 (Corporate User Interface), version v4.75, the remediation is to contact Siemens Energy Customer Support Center or your local Siemens representative.
• Spectrum Power 5 (Corporate User Interface), all versions before and including v5.50, the remediation is to contact Siemens Energy Customer Support Center or your local Siemens representative.
• Spectrum Power 7 (Corporate User Interface), all versions before and including v2.20, the remediation is to contact Siemens Energy Customer Support Center or your local Siemens representative.

Spectrum Power 3 SCADA applications provide functions required for monitoring, alarming, measuring, calculating, archiving and safe supervisory control based on analog and digital measurements, accumulator values, and momentaries.

Cyber Security

Spectrum Power 4 provides basic components for SCADA, communications, and data modeling for control and monitoring systems. Application suites can be added to optimize network and generation management for all areas of energy management.

Spectrum Power 5 is used for the automation of power supply networks in industry and for gas, water, district heating, and power supply grids operated by public utilities.

Spectrum Power 7 was developed for energy management in power transmission and distribution systems as well as for controlling railway power supply systems.

The web server could allow XSS attacks if unsuspecting users are tricked into accessing a malicious link.

User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.

The vulnerability has a case number of CVE-2019-10933 and it has a CVSS v3.0 Base Score of 4.7.

Siemens identified the following specific workarounds and mitigations: Do not allow Internet access for Spectrum Power UI clients and users should be trained to avoid clicking on unknown links.

Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures. If supported by the product, an automated means to apply the security updates across multiple product instances may be used.

Siemens recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.

As a general security measure Siemens recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Click here for recommended security guidelines to Secure Substations.

Pin It on Pinterest

Share This