Siemens has a fix to mitigate a command injection vulnerability in its Spectrum Power 4.7 product, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability in versions of Spectrum Power 4 using the user-specific project enhancement (PE) Web Office Portal (WOP) are affected by an OS command injection vulnerability.
The vulnerability, discovered by Applied Risk, could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this vulnerability. Successful exploitation compromises confidentiality, integrity, or availability of the targeted system.
A system that provides basic components for SCADA, communications, and data modeling for control and monitoring systems, Spectrum Power 4 with Web Office Portal suffers from the issue.
In the vulnerability, an attacker with network access to the web server on Port 80/TCP or 443/TCP could execute system commands with administrative privileges.
CVE-2019-6579 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
The product sees use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Siemens recommends users install bugfix bf-47456_PE_WOP_fix to mitigate the vulnerability in the affected version. Bugfix bf-47456_PE_WOP_fix for Web Office Portal can be obtained from the Siemens Energy Customer Support Center.
Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk:
• Turn off the web server or limit access to the web server by an external firewall.
Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.
As a general security measure, Siemens recommends protecting network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised that users configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.
Click here for recommended security guidelines to secure substations.
For more information on this vulnerability and associated software updates, see Siemens security advisory SSA-324467.