Siemens issued a patch the fix an insecure SQL server authentication vulnerability in its SIMATIC WinCC and SIMATIC PCS 7 software.
Previous versions of SIMATIC WinCC use default SQL server credentials that allowed administrative access to the database. The default credentials cannot be changed or disabled. An attacker can remotely exploit this vulnerability and public exploits are targeting the vulnerability.
The following SIMATIC WinCC versions suffer from the issue:
• SIMATIC WinCC versions older than V7.0 SP2 Update 1 (22.214.171.124)
• SIMATIC PCS 7 versions older than V7.1 SP2
This vulnerability allows an attacker to gain unauthorized access by using the default credentials to read from or write to files and settings on the target system.
Siemens SIMATIC WinCC is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. SIMATIC WinCC performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use in food and beverage, water and wastewater, oil and gas, and chemical.
The SIMATIC WinCC server uses default credentials for its SQL server database. An attacker can use these credentials to gain administrative access to the database server, allowing data reads and writes. Users cannot change or disable the SIMATIC WinCC default credentials. CVE-2010-2772 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0. An attacker with a low skill level would be able to exploit these vulnerabilities.
Siemens has addressed this vulnerability in SIMATIC WinCC V7.0 SP2 Update 1 (V 126.96.36.199) and newer. The latest software update, V7.0 SP3 Update 2, is on the Siemens product update page.
Siemens recommends SIMATIC PCS 7 users should apply this update. The updated version removes the default credentials and switches authentication mechanisms to Windows protocols.