Siemens created an update that mitigates vulnerabilities in the SIMATIC WinCC application, according to a report on ICS-CERT.
All but one of the reported vulnerabilities — discovered by researchers Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, Gleb Gritsai of Positive Technologies and one anonymous researcher – are remotely exploitable.
The following Siemens products suffer from the vulnerabilities:
• SIMATIC WinCC: all versions prior to Version 7.3
• SIMATIC PCS7 (as WinCC is incorporated): all versions prior to Version 8.1
Successful exploitation of these vulnerabilities may allow an attacker to obtain unauthorized access to sensitive data and allow unauthorized privilege escalation.
Siemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health, and transportation systems sectors.
SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system used to monitor and control physical processes involved in industry and infrastructure. This software sees action in the food and beverage, water and wastewater, oil and gas, and chemical industries.
In one of the vulnerabilities, the SIMATIC WinCC WebNavigator server at Port 80/TCP and Port 443/TCP could allow unauthenticated access to sensitive data with specially crafted HTTP requests.
CVE-2014-4682 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
In another hole, existing access control settings of the WinCC WebNavigator server at Port 80/TCP and Port 443/TCP could allow remote authenticated users to escalate their privileges in WinCC.
CVE-2014-4683 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.9.
In addition, the database server of SIMATIC WinCC could allow authenticated users to escalate their privileges in the database if a specially crafted command ends up sent to the database server at Port 1433/TCP.
CVE-2014-4684 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.0.
Also, access permissions on system objects could allow a local user to obtain limited escalated privileges within the operating system.
CVE-2014-4685 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.
A hard-coded cryptographic key could allow privilege escalation in the WinCC Project administration application if network communication on Port 1030/TCP of a legitimate user can be captured.
CVE-2014-4686 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.
These vulnerabilities are all remotely exploitable except for vulnerability CVE-2014-4685, which requires an attacker to have local access to the system.
No known public exploits specifically target these vulnerabilities, however, an attacker with a moderate to low skill would be able to exploit these vulnerabilities.
Siemens released SIMATIC WinCC V7.3, which fixes the five vulnerabilities and recommends upgrading as soon as possible. Users can order the updated software via the customer support web site.
SIMATIC PCS7 V8.1 will release within a few months and will incorporate SIMATIC WinCC V7.3 to resolve these issues. In the meantime, Siemens advises asset owners to apply the following steps to mitigate the risk:
• Limit the WebNavigator server access to trusted networks and clients
• Ensure that the WebNavigator clients authenticate themselves against the WebNavigator server (e.g., use client certificates)
• Restrict access to the WinCC database server at Port 1433/TCP to trusted entities
• Deactivate all unnecessary OS users on WinCC server
• Run WinCC server and engineering stations within a trusted network
• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g., establish a VPN tunnel)
The updated SIMATIC WinCC V7.3 adds the “Encrypted Communications” feature, which allows operators to add an extra layer of security to protect server communication. Siemens recommends activating this feature.
Click here for additional information for the Siemens’ Security Advisory, SSA-214365.