12 October 2018

Siemens fixes new vulnerabilities in its products

Siemens has published several advisories on vulnerabilities in its industrial solutions.

The most severe of the vulnerabilities were identified in the ROX II operating system, which is used in Siemens industrial devices. Successful exploitation of these vulnerabilities could allow valid users to escalate their privileges and execute arbitrary commands.

The vulnerabilities affect all ROX II versions prior to v2.12.1 and involve improper privilege management. By exploiting CVE-2018-13801, an attacker with network access to Port 22/TCP and valid low-privileged user credentials for the target device could perform a privilege escalation and gain root privileges. The other flaw, CVE-2018-13802, could be exploited to enable an authenticated attacker with a high-privileged user account access via SSH interface on Port 22/TCP to circumvent restrictions and execute arbitrary operating system commands. The vulnerabilities have been assigned CVSS v.3 base scores of 8.8 and 7.2, respectively.

To fix the above vulnerabilities, the operating system should be updated to version v2.12.1 as soon as possible. Additionally, to reduce the risk of these vulnerabilities being exploited, Siemens recommends restricting network access on port 22/TCP, if possible.

A dangerous CSRF vulnerability (CVE-2018-13800) was identified in all SIMATIC S7-1200 CPU Family Version 4 products prior to v4.2.3. A CSRF attack could be conducted via a device’s web interface by tricking a user into accessing a malicious link. Successful exploitation requires interaction with a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify parts of the device configuration.

A CVSS v.3 base score of 7.5 has been calculated for this vulnerability. Siemens has released a firmware update (v4.2.3) to address the issue. Additionally, the vendor recommends that users avoid visiting other websites while being authenticated against the PLC in order to reduce the risk.

Devices found to be vulnerable also include SCALANCE W1750D controller-based Direct Access Points (all versions prior to v8.3.0.1). A cryptographic issue, CVE-2017-13099, was identified in these devices. An attacker with network access to affected devices could potentially obtain a TLS session key. If the attacker is able to observe TLS traffic between a legitimate user and the device, the attacker could decrypt the TLS traffic.

To address this issue, the vendor recommends updating device firmware to v8.3.0.1.

Yet another security flaw has been identified in SIMATIC controllers:

  • SIMATIC S7-1500: all versions prior to v2.5 down to and including v2.0;
  • SIMATIC S7-1500 Software Controller: all versions prior to v2.5 down to and including v2.0;
  • SIMATIC ET 200SP Open Controller: all versions including and after v2.0.

The issue has to do with improper input validation. An attacker with network access to affected systems could exploit CVE-2018-13805 to implement a denial-of-service attack on the network stack by sending a large number of specially crafted packets to the PLC, causing the PLC to lose its ability to communicate over the network.

To fix this vulnerability, Siemens recommends updating the firmware of SIMATIC S7-1500 and SIMATIC S7-1500 Software Controller to v2.5. For SIMATIC ET 200SP Open Controller, the vendor has only provided recommendations on general measures designed to reduce the risk of the vulnerability being exploited, including restricting network access to affected devices and applying defense-in-depth.

Sources: Siemens, ICS-CERT