Siemens has workarounds and mitigations to deal with an improper access control vulnerability in its SIMATIC WinCC OA UI mobile app, according to a report with ICS-CERT.
This vulnerability, which is exploitable from an adjacent network, could end up leveraged by an attacker who tricks an app user to connect to a malicious WinCC OA server.
Successful exploitation of this vulnerability, discovered by Alexander Bolshev from IOActive, and Ivan Yushkevich from Embedi, could allow an attacker to read and write data from and to the app’s project cache folder.
The vulnerability affects the following products:
• SIMATIC WinCC OA UI for Android: All versions prior to V3.15.10
• SIMATIC WinCC OA UI for IOS: All versions prior to V3.15.10
No known public exploits specifically target this vulnerability. High skill level is needed to exploit.
In the vulnerability, insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app’s sandbox on the same mobile device. This includes HMI project cache folders of other configured WinCC OA servers.
This vulnerability could be exploited by an attacker who tricks an app user to connect to a malicious WinCC OA server. This could give an attacker the ability to read and write data from and to the app’s project cache folder.
CVE-2018-4844 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.1.
The product sees action in the chemical, energy, food and agriculture, and water and wastewater systems sectors. It also sees use on a global basis.
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:
• Only connect to a trusted WinCC OA Server.
• Follow the SIMATIC WinCC OA Security Guideline for maintaining a secured SIMATIC WinCC OA environment. This guideline is available for registered users.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to run the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ Operational Guidelines for Industrial Security, and follow the recommendations in the product manuals.
Click here for additional information on industrial security.
For more information on this vulnerability and associated software updates, see Siemens security notification SSA-822928.