Siemens has workarounds and mitigations to handle path traversal and open redirect vulnerabilities in its SIMATIC Panels, according to a report by NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Hosni Tounsi from Carthage Red Team // Carthage Cyber Services, could allow download of arbitrary files from the device, or allow URL redirections to untrusted websites.
Siemens said these vulnerabilities affect the following SIMATIC products:
• SIMATIC HMI Comfort Panels 4”-22” all versions prior to v15 Update 4
• SIMATIC HMI Comfort Outdoor Panels 7” & 15” all versions prior to v15 Update 4
• SIMATIC HMI KTP Mobile Panels all versions prior to v15 Update 4
• SIMATIC WinCC Runtime Advanced all versions prior to v15 Update 4
• SIMATIC WinCC Runtime Professional all versions prior to v15 Update 4
• SIMATIC WinCC (TIA Portal) all versions prior to v15 Update 4
• SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) all versions
In one vulnerability, a directory traversal issue has been identified that could enable download of arbitrary files from the device. The security vulnerability could be exploited by an attacker with network access to the integrated web server.
CVE-2018-13812 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, the webserver of affected HMI devices may allow URL redirections to untrusted websites. An attacker must trick a valid user who is authenticated to the device into clicking on a malicious link.
CVE-2018-13813 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
The product sees use in the chemical, critical manufacturing, energy, food and agriculture, healthcare and public health, and transportation sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk:
• Update SIMATIC WinCC (TIA Portal) to v15 Update 4 or newer, then update panel to v15 Update 4 or newer
• Restrict network access to the integrated web server
• Deactivate the web server if not required. The web server is disabled by default
• Apply defense-in-depth
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.
For more information on these vulnerabilities and associated software updates, see Siemens’ security advisory SSA-233109.