Siemens created a software update that fully resolves multiple vulnerabilities in the SIMATIC WinCC, which configures SIMATIC operator devices.
Exploitation of these vulnerabilities, found by Positive Technologies and Siemens ProductCERT identified, could allow a denial-of-service (DoS) condition, unauthorized read access to files, or remote code execution.
SIMATIC WinCC sees use in multiple industries, including food and beverage, water and wastewater, oil and gas, and chemical sectors worldwide. These vulnerabilities are remotely exploitable.
WinCC 7.0 SP3 Update1 and below suffer from the issue. As WinCC is part of SIMATIC PCS7, the SIMATIC PCS 7 Web Server also suffer from these vulnerabilities.
SIMATIC WinCC is a software package used as an interface between the operator and the programmable logic controllers (PLCs). SIMATIC WinCC performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software is quite a few industries, including food and beverage, water and wastewater, oil and gas, and chemical.
WinCC stores user passwords for WebNavigator in an MS SQL database. If an attacker can successfully log into the WinCC database server, it is possible to extract these passwords. This would allow an attacker access to all functions and privileges of all WinCC users.
CVE-2013-0678 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.5.
WinCC provides too many rights to several users in the database. Users with low privileges could read password fields allowing an attacker to gain access to sensitive information.
CVE-2013-0676 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.
The WinCC Web server could return sensitive data if certain file names and paths are queried, e.g., via URL parameters. However, the user needs authentication on the Web server to exploit this vulnerability. This could allow the attacker to browse the file system via URL manipulation and extract sensitive information.
CVE-2013-0679 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.
The WinCC Web server requires users to install ActiveX component RegReader to use certain WinCC functions. RegReader does not properly check the length of parameters; a malicious site can trigger a buffer overflow with possible remote code execution in the context of the user’s browser. This could allow the attacker to cause a crash or to execute arbitrary code.
CVE-2013-0674 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.
The WinCC Web server can allow a legitimate user to parse project files insecurely. If a legitimate user opens a manipulated project, sensitive data can transmit via the network or a DoS condition can occur.
CVE-2013-0677 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.
The WinCC central communications component (CCEServer) is vulnerable to a remote buffer overflow that can trigger over the network. By sending a specially crafted packet to a dynamically assigned port, an attacker can generate a DoS condition against WinCC.
CVE-2013-0675 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.1.
No known public exploits specifically target these vulnerabilities and an attacker with a low to medium skill would be able to exploit these vulnerabilities.