Multiple vulnerabilities in Siemens products

Siemens has released several security advisories on vulnerabilities identified in its industrial automation products.

Vulnerabilities have been identified in the following solutions:

• SiNVR 3, a video management solution (all versions of SiNVR 3 Central Control Server and SiNVR 3 Video Server);
• XHQ Operations Intelligence, operations intelligence products for oil-and-gas and power generation companies;
• RUGGEDCOM ROS switch;
• Siemens EN100 Ethernet Module.

A total of 7 vulnerabilities were identified in SiNVR 3, which, if exploited, could allow attackers to read and reset SiNVR 3 CCS (Central Control Server) user passwords, read the CCS and SiNVR user database, including all users’ passwords in obfuscated cleartext, extract device configuration files and passwords from the user database, etc. The greatest danger is posed by the following vulnerabilities:

• CVE-2019-18337, an authentication bypass vulnerability in the XML-based communication protocol, and CVE-2019-18339, which has to do with missing authentication for critical functions. Both vulnerabilities were assigned a base score of 9.8.
• CVE-2019-18342, which has to do with the lack of proper limitations in the SFTP service. A CVSS v.3 base score of 9.9 was calculated for this vulnerability.

Three vulnerabilities have been identified in XHQ Operations Intelligence product line (all versions prior to 6.0.0.2), which could allow an attacker to read or modify the contents of the web application:

• CVE-2019-13930, a CSRF vulnerability
• CVE-2019-13931, an XSS vulnerability
• CVE-2019-13932, an improper input validation vulnerability.

CVSS v3 base scores of 8.1, 6.5 and 8.8, respectively, have been calculated for the above vulnerabilities.

Another two vulnerabilities, CVE-2018-18440 and CVE-2019-13103, have been identified in the RUGGEDCOM ROS switch. The former vulnerability has to do with improper restriction of operations within the bounds of a memory buffer, the latter with resource management errors. The CVSS v3 base scores calculated for these vulnerabilities are 7.8 and 4.6, respectively. Successful exploitation of these vulnerabilities could cause a denial-of-service condition or result in arbitrary code execution.

A number of vulnerabilities have also been identified in the EN100 Ethernet module. They include buffer overflow (CVE-2019-13942), XSS (CVE-2019-13943) and Path Traversal (CVE-2019-13944) flaws. CVSS v3 base scores calculated for these vulnerabilities are 7.5, 7.2 and 5.3, respectively.

If successfully exploited, these vulnerabilities could allow an attacker to execute code remotely, cause a denial-of-service condition and obtain sensitive information about the device.

The above vulnerabilities affect the following versions of the device:

• EN100 Ethernet module for IEC 61850 (all versions prior to 4.37)
• EN100 Ethernet module for PROFINET IO
• EN100 Ethernet module for Modbus TCP
• EN100 Ethernet module for DNP3
• EN100 Ethernet module for IEC104

These devices are included in SIPROTEC 4 and SIPROTEC Compact.

Sources: ICS-CERT, Siemens