Search by:
14 December 2018
Ten new vulnerabilities have been identified in Siemens SINUMERIK CNC controllers, four of them critical. Successful exploitation of these vulnerabilities could allow remote code execution, privilege escalation and device denial-of-service conditions.
The most dangerous of the vulnerabilities is CVE-2018-11466 (uncaught exception). Specially crafted network packets sent to Port 102/TCP (ISO-TSAP) could allow a remote attacker to cause a denial-of-service condition of the integrated software firewall, or allow code to be executed in the context of the software firewall. A CVSS v.3.0 base score of 10, the highest score possible, has been calculated for this vulnerability.
Other critical vulnerabilities include the following issues, all of which have been assigned CVSS v.3.0 base scores of 9.8:
Some of the other vulnerabilities identified can also allow privilege escalation and arbitrary code execution – specifically, CVE-2018-11463 (buffer overflow), CVE-2018-11461 (improper control of privileges) and CVE-2018-11465 (uncaught exception). Notably, CVE-2018-11465 could allow arbitrary code execution in kernel mode.Additionally, security flaws have been identified in existing protection mechanisms (CVE-2018-11459, CVE-2018-11460). These vulnerabilities could allow a local attacker to modify a user-writeable configuration file or a CRAMFS archive so that after reboot the system will load the modified files and execute attacker-controlled code with elevated privileges.
Finally, CVE-2018-11464 could allow a remote attacker to cause a denial-of-service condition of the integrated VNC server on Port 5900/TCP of the affected products.
The above vulnerabilities affect the following controller versions:
At the same time, SINUMERIK 808D controllers are not affected by CVE-2018-11457, CVE-2018-11458, or CVE-2018-11464.
Siemens has released updates that fix the above vulnerabilities for SINUMERIK 828D and SINUMERIK 840D sl controllers. The company is working on fixes for other affected products.
To reduce the risk of vulnerability exploitation before the relevant updates are installed, Siemens recommends checking and restoring default settings (4842/tcp and 5900/tcp blocked) for firewall on network port X130, restricting system access to authorized personnel and following a least privilege approach, using VPN to protect network communication between cells, and applying defense-in-depth.