ICS-CERT is aware of a public report by independent security researchers Billy Rios and Terry McCorkle concerning authentication bypass vulnerabilities affecting Siemens SIMATIC HMI products which are supervisory control and data acquisition/human-machine interface (SCADA/HMI) products.
According to this report, systems running affected versions of this product are accessible using a default username and password. These systems also generate an insecure authentication token for browser sessions. Prior to public disclosure, the researchers notified ICS-CERT of the vulnerabilities. ICS-CERT is continuing to coordinate mitigations with the researchers and Siemens.
Siemens was previously aware of these vulnerabilities and intends to address them in Service Packs to be released in January 2012. Please see mitigation section of this document for additional information regarding the release of the Service Packs. Siemens has also updated its product documentation with instructions for configuring a strong password and removing default passwords during initial setup.
According to Siemens, the following software packages are vulnerable:
Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
The Siemens SIMATIC HMI product family is used as an interface between operators and corresponding PLCs. SIMATIC HMI does the following tasks: process visualization, operator control of the process, display of alarms, archiving of process values and alarms and management of machine parameters. This software is used in many industries including: food and beverage, water and wastewater, oil and gas, and chemical.
The authentication token/cookie values set when a user (administrator) logs are predictable when non-encrypted HTTP communication is used. This can allow for an attacker to bypass authentication checks and escalate privileges.
CVE-2011-4508 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.02 calculator rates an Overall CVSS Score of 6.5.
There is a default administrator password, which is weak and easily bruteforced or guessed. Siemens has changed the documentation to encourage the user to change the password upon first login.
CVE-2011-4509 has been assigned to this vulnerability.
No known exploits specifically target these vulnerabilities.
It would be very simple to exploit the default password, it would require a greater amount of work and knowledge to exploit the insecure token generation vulnerability.
The authentication token generation vulnerability will be addressed by Siemens in its “SIMATIC WinCC V11.0 SP 2 Update 1,” which is to be released on January 13, 2012 or “SIMATIC WinCC flexible 2008 SP3” which is to be released on January 18, 2012.
Product documentation has been updated to tell the user how to set a proper password during initial setup to remove the risk of the default password vulnerability.
Siemens has published a statement on their Industrial Security web pages that addresses these issues.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: