Mitigations are available for a vulnerability that impacts Siemens ProcessSuite and Invensys Wonderware InTouch products, according to a report on ICS-CERT.
Mitigations are available for an insecure password storage vulnerability in Siemens ProcessSuite and Invensys Wonderware InTouch applications.
On one hand, Siemens said ProcessSuite is an outdated system and they cannot issue an updated to match current security requirements. Instead the company recommends upgrading to a more recent human-machine interface (HMI).
On the other hand, Invensys recommends using Windows integrated security rather than the InTouch security subsystem, but has created a new patch to mitigate this vulnerability.
Successful exploitation of this vulnerability, discovered by researcher Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin, can allow an attacker to log in to the system as a privileged user and take over the application.
All versions of Siemens ProcessSuite suffer from the issue. Siemens said ProcessSuite phased out in 2005 and completely discontinued in 2010. Customers using SIMATIC PCS7 / APACS+ OS are not affected.
The following Invensys Wonderware InTouch versions suffer from the issue: Wonderware InTouch 2012 R2 and previous. Wonderware applications that use Windows Integrated security or ArchestrA security do not have the problem.
An attacker with read permissions to the password file can decrypt it and obtain all usernames and passwords, allowing logon as a privileged user and take over the application.
ProcessSuite is a part of a Distributed Control System “APACS+” from Moore Products Inc., which Siemens acquired in 2000. Siemens ProcessSuite is based on Wonderware InTouch V7.11 and uses similar authentication mechanisms. Siemens no longer supports ProcessSuite.
ProcessSuite does go across several sectors including manufacturing, oil and gas, chemical, and others. Siemens estimates that these products are used primarily in the United States and Canada.
InTouch is an HMI created by Invensys Wonderware used for designing, building, deploying, and maintaining applications for manufacturing and infrastructure operations.
User management information including passwords store in a reversible format in file “Ps_security.ini” by the affected software. An attacker with read permissions to this local file can obtain the passwords, log in as a privileged user, and potentially affect the availability, integrity, and confidentiality of the system. CVE-2012-4693 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
An attacker would need local access to the password file to be able to exploit this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.