Critical vulnerabilities in Siemens SINUMERIK controllers

Ten new vulnerabilities have been identified in Siemens SINUMERIK CNC controllers, four of them critical. Successful exploitation of these vulnerabilities could allow remote code execution, privilege escalation and device denial-of-service conditions.

The most dangerous of the vulnerabilities is CVE-2018-11466 (uncaught exception). Specially crafted network packets sent to Port 102/TCP (ISO-TSAP) could allow a remote attacker to cause a denial-of-service condition of the integrated software firewall, or allow code to be executed in the context of the software firewall. A CVSS v.3.0 base score of 10, the highest score possible, has been calculated for this vulnerability.

Other critical vulnerabilities include the following issues, all of which have been assigned CVSS v.3.0 base scores of 9.8:

• Buffer overflow (CVE-2018-11457), which could allow a remote attacker to execute code with privileged permissions by sending specially crafted network requests to Port 4842/TCP of the integrated web server. This vulnerability is only exploitable if Port 4842/TCP is manually opened in the firewall configuration of network port X130.
• Integer overflow or wraparound (CVE-2018-11458), which could allow a remote attacker to execute code with privileged permissions by sending specially crafted network requests to Port 5900/TCP of the integrated VNC server. This vulnerability is only exploitable if Port 5900/TCP is manually opened in the firewall configuration of network Port X130.
• Improper control of privileges (CVE-2018-11462), which could allow a remote attacker to escalate privileges to an elevated user account, but not to root.

Some of the other vulnerabilities identified can also allow privilege escalation and arbitrary code execution – specifically, CVE-2018-11463 (buffer overflow), CVE-2018-11461 (improper control of privileges) and CVE-2018-11465 (uncaught exception). Notably, CVE-2018-11465 could allow arbitrary code execution in kernel mode.Additionally, security flaws have been identified in existing protection mechanisms (CVE-2018-11459, CVE-2018-11460). These vulnerabilities could allow a local attacker to modify a user-writeable configuration file or a CRAMFS archive so that after reboot the system will load the modified files and execute attacker-controlled code with elevated privileges.

Finally, CVE-2018-11464 could allow a remote attacker to cause a denial-of-service condition of the integrated VNC server on Port 5900/TCP of the affected products.

The above vulnerabilities affect the following controller versions:

• SINUMERIK 808D v4.7;
• SINUMERIK 808D v8;
• SINUMERIK 828D v4.7 (all versions prior to v4.7 SP6 HF1);
• SINUMERIK 840D sl v4.7 (all versions prior to v4.7 SP6 HF5);
• SINUMERIK 840D sl v4.8 (all versions prior to v4.8 SP3).

At the same time, SINUMERIK 808D controllers are not affected by CVE-2018-11457, CVE-2018-11458, or CVE-2018-11464.

Siemens has released updates that fix the above vulnerabilities for SINUMERIK 828D and SINUMERIK 840D sl controllers. The company is working on fixes for other affected products.

To reduce the risk of vulnerability exploitation before the relevant updates are installed, Siemens recommends checking and restoring default settings (4842/tcp and 5900/tcp blocked) for firewall on network port X130, restricting system access to authorized personnel and following a least privilege approach, using VPN to protect network communication between cells, and applying defense-in-depth.

Sources: Siemens, ICS-CERT