Your one-stop web resource providing safety and security information to manufacturers

Siemens updated or is working on updates for multiple vulnerabilities in its SINUMERIK Controllers, according to a report from NCCIC.

The vulnerabilities include heap-based buffer overflow, integer overflow or wraparound, protection mechanism failure, permissions, privileges, and access controls, stack-based buffer overflow, and an uncaught exception.

RELATED STORIES
Rockwell Fixes MicroLogix, ControlLogix Modules
GE Proficy GDS Mitigates Vulnerability
Philips’ HealthSuite App Fix in Q1
Multiple Holes in Digital Oscilloscope

Successful exploitation of these remotely exploitable vulnerabilities could cause denial-of-service conditions, privilege escalation, or allow remote code execution.

Siemens worked with Anton Kalinin, Danila Parnishchev, Dmitry Sklyar, Gleb Gritsai, Kirill Nesterov, Radu Motspan, and Sergey Sidorov from Kaspersky Lab on the vulnerabilities.

Cyber Security

The vulnerabilities affect the following versions of the SINUMERIK CNC controllers:
• SINUMERIK 808D v4.7 all versions
• SINUMERIK 808D v4.8 all versions
• SINUMERIK 828D v4.7 all versions prior to v4.7 SP6 HF1
• SINUMERIK 840D sl v4.7 all versions prior to v4.7 SP6 HF5
• SINUMERIK 840D sl v4.8 all versions prior to v4.8 SP3

Some products are not affected by all of the vulnerabilities. See Siemens advisory SSA-170881 for further details.

In one vulnerability, sending specially crafted network requests to Port 4842/TCP of the integrated web server could allow a remote attacker to execute code with privileged permissions.

This vulnerability is only exploitable if Port 4842/TCP is manually opened in the firewall configuration of network Port X130.

CVE-2018-11457 is the case num ber assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, sending specially crafted network requests to Port 5900/TCP of the integrated VNC server could allow a remote attacker to execute code with privileged permissions.

This vulnerability is only exploitable if Port 5900/TCP is manually opened in the firewall configuration of network Port X130.

CVE-2018-11458 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, a local attacker could modify a user-writeable configuration file so that after reboot or manual initiation, the attacker-controlled code is executed with elevated privileges.

CVE-2018-11459 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.0.

In addition, a local attacker with elevated user privileges (manufact) could modify a CRAMFS archive so after reboot, the system loads the modified CRAMFS file and attacker-controlled code is executed with root privileges.

CVE-2018-11460 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

Also, a local attacker with user privileges could use the service command application for privilege escalation to an elevated user, but not root.

CVE-2018-11461 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.

In addition, by sending a specially crafted authentication request to affected systems, a remote attacker could escalate privileges to an elevated user account, but not to root.

CVE-2018-11462 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In another vulnerability, a buffer overflow in the service command application could allow a local attacker to execute code with elevated privileges.

CVE-2018-11463 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

Also, the integrated VNC server on Port 5900/TCP of the affected products could allow a remote attacker to cause a denial-of-service condition of the VNC server.

This vulnerability is only exploitable if Port 5900/TCP is manually opened in the firewall configuration of network Port X130.

CVE-2018-11464 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In addition, a local attacker could use ioctl calls to do out of bounds reads, arbitrary writes, or execute code in kernel mode.

CVE-2018-11465 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

Also, specially crafted network packets sent to Port 102/TCP (ISO-TSAP) could allow a remote attacker to cause a denial-of-service condition of the integrated software firewall, or allow to execute code in the context of the software firewall.

CVE-2018-11466 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.

The product sees use mainy in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the issues.

Siemens released updates for several affected products and is working on updates for the remaining affected products. Siemens recommends updating affected devices as soon as possible. For the following products, contact a Siemens account manager to obtain updates for SINUMERIK software:
• SINUMERIK 828D v4.7: Update to v4.7 SP6 HF1
• SINUMERIK 840D sl v4.7: Update to v4.7 SP6 HF5
• SINUMERIK 840D sl v4.8: Update to v4.8 SP3

Siemens recommends affected users implement the following specific workarounds and mitigations to reduce risk:
• Check and restore default settings (4842/TCP and 5900/TCP blocked) for firewall on network Port X130
• Restrict system access to authorized personnel and follow a least privilege approach
• Apply cell protection concept
• Use VPN for protecting network communication between cells
• Apply defense-in-depth

For additional information see Siemens’ security advisory SSA-170881.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in the product manuals.

Click here or additional information on Industrial Security by Siemens.

Pin It on Pinterest

Share This