Multiple vulnerabilities in SPPA-T3000 components

Siemens has reported multiple vulnerabilities in components of its SPPA-T3000 distributed control system, which is used primarily at large power generation facilities. The security issues were identified by researchers from Kaspersky, Positive Technologies and Biznet Bilisim.

Researchers identified 19 vulnerabilities in the code of the SPPA-T3000 Application Server and 35 more vulnerabilities in the MS3000 Migration Server. Some of the vulnerabilities are critical and could allow attackers to execute arbitrary code or cause denial-of-service conditions.

The following Application Server vulnerabilities pose the greatest danger:

• CVE-2019-18283 and CVE-2019-18314 – CVE-2019-18316, which, if exploited, could allow attackers to execute arbitrary code on the server. The CVSS v.3.1 base score calculated for each of these vulnerabilities is 9.8.
• CVE-2019-18284, which could be exploited by attackers to receive password hashes of other users and change user passwords. This vulnerability has also been assigned a CVSS v. 3.1 base score of 9.8.
• СVE-2019-18288, which could allow attackers to upload arbitrary files via the unprotected Remote Method Invocation (RMI) service. A CVSS v3.1 base score of 8.8 has been calculated for this flaw.
• CVE-2018-4832, caused by the system having a method available via Remote Procedure Call (RPC method), which is provided for administration purposes and does not require authentication. If exploited, this vulnerability could lead to a denial-of-service condition on the remote and local communication functionality of affected products. It has a CVSS v.3.1 base score of 7.5.

Other vulnerabilities identified have to do with improper authentication (CVE-2019-18286, CVE-2019-18287, CVE-2019-18317 – CVE-2019-18320), unencrypted RMI communication between the client and the application server (CVE-2019-18285) and information exposure (CVE-2019-18331 – CVE-2019-18335).

Multiple severe vulnerabilities have also been identified in the MS-3000 Migration Server. For 11 of these vulnerabilities (CVE-2019-18293, CVE-2019-18289, CVE-2019-18313, CVE-2019-18323 – CVE-2019-18330), a CVSS v3.1 base score of 9.8 was calculated.

Most of the vulnerabilities are heap-based buffer overflow type, potentially resulting in denial of service on the server. Other issues identified include:

• Improper access control (CVE-2019-18308, CVE-2019-18309), which could allow an attacker to gain root privileges by manipulating specific files in the local file system.
• Improper authentication (CVE-2019-18321, CVE-2019-18322), which could be exploited by attackers to read and write arbitrary files.
• Out-of-bounds read (CVE-2019-18306, CVE-2019-18307) and integer overflow (CVE-2019-18298 – CVE-2019-18305), which could lead to denial-of-service conditions.

CVE-2019-18331, CVE-2019-18333 and CVE-2019-18334 were fixed in SPPAT3000 Service Pack R8.2 SP1. The vendor is working on fixes for other vulnerabilities.

Source: Siemens