10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.307 Low
EPSS
Percentile
97.0%
This advisory is a follow-up to a previous advisory titled “ICSA-11-356-01 – Siemens HMI Authentication Vulnerabilities” that was published December 22, 2011, and an alert titled “ICS-ALERT-11-332-02A – Siemens SIMATIC WinCC Flexible Vulnerabilities” that was published December 2, 2011.
ICS-CERT has received reports from independent security researchers Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma detailing several vulnerabilities in Siemens SIMATIC WinCC Human-Machine Interface (HMI) application. ICS-CERT has coordinated with these researchers and Siemens to validate these vulnerabilities and include mitigation strategies in the latest Siemens service packs.Siemens ProductCERT advisories, http://www.siemens.com/cert/advisories/ website last accessed April 16, 2012.
According to Siemens, the following software packages are vulnerable:
The following related products are not affected:
Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. SIMATIC HMI performs the following tasks: process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical.
When a user (or administrator) logs on, the application sets predictable authentication token/cookie values. This can allow an attacker to bypass authentication checks and escalate privileges.
CVE-2011-4508 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0NVD Common Vulnerability Scoring System Support v2, http://nvd.nist.gov/cvss.cfm, website last accessed April 16, 2012. calculator rates a CVSS Base Score of 9.3.
The default administrator password is weak and easily brute forced. Siemens has changed the documentation to encourage users to change the password at first login.
CVE-2011-4509 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.
SIMATIC HMI Smart Options web server is vulnerable to two separate cross-site scripting attacks that may allow elevation of privileges, data theft, or service disruption.
CVE-2011-4510 and CVE-2011-4511 have been assigned to these vulnerabilities. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.
The HMI web server is vulnerable to header injection that may allow elevation of privileges, data theft, or service disruption.
CVE-2011-4512 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.
This vulnerability can allow an attacker to execute arbitrary code via specially crafted project files. This may require social engineering to get the operator to download the files and execute them.
CVE-2011-4513 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.
SIMATIC panels include a telnet daemon by default; however, the daemon does not include any authentication functions.
CVE-2011-4514 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate the length of data segments and Unicode strings, which may cause a stack overflow. This vulnerability may lead to remote code execution.
CVE-2011-4875 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate incoming strings. This allows an attacker full access (read, write, and execute) to any file within the file system.
CVE-2011-4876u has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.
The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not sufficiently validate incoming data. Multiple vulnerabilities allow a denial-of-service (DoS) attack, which leads to a program crash.
CVE-2011-4877 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.1.
The HMI web server does not properly validate URLs within HTTP requests on Ports 80/TCP and 443/TCP. By manipulating URLs with encoded backslashes, directory traversal is possible. This allows an attacker read access for all files within the file system.
CVE-2011-4878 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.8.
The HMI web server does not properly validate HTTP requests. By manipulating the first byte within a URL, the server switches to a special interpretation of the URL. This allows an attacker to read the application process memory and perform a DoS attack by specifying invalid memory locations.
CVE-2011-4879 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 8.5.
An attacker would need user interaction to exploit vulnerability #5.
The remaining vulnerabilities can be exploited remotely.
Publicly available exploits are known to specifically target vulnerabilities #1, #2, and #7 through #11.
No known publicly available exploits specifically target vulnerabilities #3 through #6.
These vulnerabilities would be very simple for a skilled attacker to exploit.
Exploiting vulnerability #5 requires social engineering to convince the user to accept and load the malformed file. This decreases the likelihood of a successful exploit.
Each of the reported vulnerabilities has been addressed by Siemens, as follows:
ICS-CERT tested WinCC V11 (TIA Portal) SP2 Update 1hh,WinCC V11 (TIA Portal) SP2 Update 1, http://support.automation.siemens.com/WW/view/en/58112587 website last accessed April 16, 2012. and WinCC flexible 2008 SP3WinCC flexible 2008 SP3, http://support.automation.siemens.com/WW/view/en/57267466 website last accessed April 16, 2012.
The remaining vulnerabilities are addressed in documentation and a new FAQ entry on Siemens website. If unable to implement these changes, product users should contact their integrator or Siemens product support for assistance.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
support.automation.siemens.com/WW/view/en/29054992
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4508
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4509
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4510
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4511
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4512
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4513
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4514
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4875
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4876
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4877
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4878
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4879
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20SIMATIC%20WinCC%20Vulnerabilities%20%28UPDATE%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-12-030-01a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-030-01a&title=Siemens%20SIMATIC%20WinCC%20Vulnerabilities%20%28UPDATE%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-030-01a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-030-01a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20SIMATIC%20WinCC%20Vulnerabilities%20%28UPDATE%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-12-030-01a