16 November 2018
Vulnerabilities in Siemens industrial products
Siemens has released several advisories on vulnerabilities identified in its industrial automation solutions.
The most dangerous of the vulnerabilities, CVE-2018-16556 and CVE-2018-16557, affect SIMATIC S7-400 CPUs. Successful exploitation of these vulnerabilities could cause a denial-of-service condition. A manual reboot or firmware re-image is required to bring the system back to normal operation. CVSS v.3 base scores of 7.5 and 8.2, respectively, have been calculated for these vulnerabilities.
Both flaws are improper input validation vulnerabilities. Both can be exploited by sending specially crafted packets to port 102/TCP via Ethernet interface, via PROFIBUS, or via multi-point interfaces (MPI).
Devices affected by these vulnerabilities include the following products:
- S7-400 (including F) v6 and below, all versions;
- S7-400 PN/DP v7 (including F), all versions;
- S7-400H v4.5 and below, all versions;
- S7-400H v6, all versions;
- S7-410, all versions prior to v8.2.1.
Siemens recommends the following measures to reduce the risk of vulnerability exploitation:
- to mitigate CVE-2018-16557: configure protection Level 3 (read/write protection);
- restrict network access to protected devices, including network access to port 102/TCP for Ethernet interfaces;
- for SIMATIC S7-CPU 410 CPUs, activate field interface security in PCS 7 v9.0, use a SIMATIC CP443-1 Adv. to communicate with ES/OS, and update to Version 8.2.1.
Another serious vulnerability has been identified in SIMATIC IT Production Suite, a plant-centric IT solution building the link between business systems (e.g., ERP) and control systems. CVE-2018-13804 could allow authorized users with physical or network access to the affected system to bypass the application-level authentication.
This issue has been assigned a CVSS v.3 base score of 7.7. It affects the following solutions:
- all versions of SIMATIC IT LMS,
- SIMATIC IT Production Suite: versions from 7.1 prior to version 7.1 Upd3;
- all versions of SIMATIC IT UA Discrete Manufacturing up to version 2.4 (inclusive).
To mitigate this issue, Siemens recommends installing the relevant updates and restricting network access to affected installations.
Siemens has also reported the following medium-severity vulnerabilities (CVSS v.3 base score from 4 to 5.3):
- resource exhaustion in SIMATIC S7 (CVE-2018-13815), potentially resulting in a denial-of-service condition;
- unprotected storage of credentials in SIMATIC STEP 7 (CVE-2018-13811), potentially allowing an attacker to reconstruct the password;
- XSS vulnerability in SCALANCE S products (CVE-2018-16555), which can be exploited if the user follows a malicious link;
- improper access control in IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer and SICAM SCC software (CVE-2018-4858), potentially allowing a remote attacker to exfiltrate limited data from the system or execute code with operating system user permissions.
Siemens has released updates fixing these vulnerabilities for all affected solutions.