Industrial Control Systems Cyber Emergency Response TeamICSA-22-069-09Siemens SINEC INS
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
97.4%
1. EXECUTIVE SUMMARY
- CVSS v3 9.8 ***ATTENTION: **Exploitable remotely/low attack complexity
- Vendor: Siemens
- **Equipment:**SINEC INS
- Vulnerability: Using Components with Known Vulnerabilities
2. RISK EVALUATION
Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following SINEC INS (Infrastructure Network Services) web-based application:
- SINEC INS: All versions prior to v1.0.1.1
3.2 VULNERABILITY OVERVIEW
3.2.1 USING COMPONENTS WITH KNOWN VULNERABILITIES CWE-1035
There are 71 third-party components affected by this vulnerability as Node.js, cURL, SQLite, CivetWeb and DNS(ISC BIND) could allow an attacker to interfere with the affected product.
CVE-2019-19242, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19646, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2020-1971, CVE-2020-7774, CVE-2020-8169, CVE-2020-8177, CVE-2020-8231, CVE-2020-8265, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2020-8287, CVE-2020-8625, CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-13871, CVE-2020-15358, CVE-2020-27304, CVE-2021-3449, CVE-2021-3450, CVE-2021-3672, CVE-2021-3711, CVE-2021-3712, CVE-2021-22876, CVE-2021-22883, CVE-2021-22884, CVE-2021-22890, CVE-2021-22897, CVE-2021-22898, CVE-2021-22901, CVE-2021-22918, CVE-2021-22921, CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926, CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2021-23362, CVE-2021-23840, CVE-2021-25214, CVE-2021-25215, CVE-2021-25216, CVE-2021-25219, CVE-2021-27290, CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 have been assigned to these third-party component vulnerabilities. A CVSS v3 base score of 9.8 has been calculated for the worst case; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURESECTORS: Energy
- **COUNTRIES/AREAS DEPLOYED:**Worldwide
- **COMPANY HEADQUARTERS LOCATION:**Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released an update for SINEC INS and recommends updating to v1.0.1.1 or later version.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity
For more information about this issue, please see Siemens’ security advisory SSA-389290
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
References
cert-portal.siemens.com/operational-guidelines-industrial-security.pdf
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cwe.mitre.org/data/definitions/1035.html
nvd.nist.gov/vuln/detail/CVE-2019-19242
nvd.nist.gov/vuln/detail/CVE-2019-19244
nvd.nist.gov/vuln/detail/CVE-2019-19317
nvd.nist.gov/vuln/detail/CVE-2019-19603
nvd.nist.gov/vuln/detail/CVE-2019-19645
nvd.nist.gov/vuln/detail/CVE-2019-19646
nvd.nist.gov/vuln/detail/CVE-2019-19880
nvd.nist.gov/vuln/detail/CVE-2019-19923
nvd.nist.gov/vuln/detail/CVE-2019-19924
nvd.nist.gov/vuln/detail/CVE-2019-19925
nvd.nist.gov/vuln/detail/CVE-2019-19926
nvd.nist.gov/vuln/detail/CVE-2020-11655
nvd.nist.gov/vuln/detail/CVE-2020-11656
nvd.nist.gov/vuln/detail/CVE-2020-13630
nvd.nist.gov/vuln/detail/CVE-2020-13631
nvd.nist.gov/vuln/detail/CVE-2020-13632
nvd.nist.gov/vuln/detail/CVE-2020-13871
nvd.nist.gov/vuln/detail/CVE-2020-15358
nvd.nist.gov/vuln/detail/CVE-2020-1971
nvd.nist.gov/vuln/detail/CVE-2020-27304
nvd.nist.gov/vuln/detail/CVE-2020-7774
nvd.nist.gov/vuln/detail/CVE-2020-8169
nvd.nist.gov/vuln/detail/CVE-2020-8177
nvd.nist.gov/vuln/detail/CVE-2020-8231
nvd.nist.gov/vuln/detail/CVE-2020-8265
nvd.nist.gov/vuln/detail/CVE-2020-8284
nvd.nist.gov/vuln/detail/CVE-2020-8285
nvd.nist.gov/vuln/detail/CVE-2020-8286
nvd.nist.gov/vuln/detail/CVE-2020-8287
nvd.nist.gov/vuln/detail/CVE-2020-8625
nvd.nist.gov/vuln/detail/CVE-2020-9327
nvd.nist.gov/vuln/detail/CVE-2021-22876
nvd.nist.gov/vuln/detail/CVE-2021-22883
nvd.nist.gov/vuln/detail/CVE-2021-22884
nvd.nist.gov/vuln/detail/CVE-2021-22890
nvd.nist.gov/vuln/detail/CVE-2021-22897
nvd.nist.gov/vuln/detail/CVE-2021-22898
nvd.nist.gov/vuln/detail/CVE-2021-22901
nvd.nist.gov/vuln/detail/CVE-2021-22918
nvd.nist.gov/vuln/detail/CVE-2021-22921
nvd.nist.gov/vuln/detail/CVE-2021-22922
nvd.nist.gov/vuln/detail/CVE-2021-22923
nvd.nist.gov/vuln/detail/CVE-2021-22924
nvd.nist.gov/vuln/detail/CVE-2021-22925
nvd.nist.gov/vuln/detail/CVE-2021-22926
nvd.nist.gov/vuln/detail/CVE-2021-22930
nvd.nist.gov/vuln/detail/CVE-2021-22931
nvd.nist.gov/vuln/detail/CVE-2021-22939
nvd.nist.gov/vuln/detail/CVE-2021-22940
nvd.nist.gov/vuln/detail/CVE-2021-22945
nvd.nist.gov/vuln/detail/CVE-2021-22946
nvd.nist.gov/vuln/detail/CVE-2021-22947
nvd.nist.gov/vuln/detail/CVE-2021-23362
nvd.nist.gov/vuln/detail/CVE-2021-23840
nvd.nist.gov/vuln/detail/CVE-2021-25214
nvd.nist.gov/vuln/detail/CVE-2021-25215
nvd.nist.gov/vuln/detail/CVE-2021-25216
nvd.nist.gov/vuln/detail/CVE-2021-25219
nvd.nist.gov/vuln/detail/CVE-2021-27290
nvd.nist.gov/vuln/detail/CVE-2021-32803
nvd.nist.gov/vuln/detail/CVE-2021-32804
nvd.nist.gov/vuln/detail/CVE-2021-3449
nvd.nist.gov/vuln/detail/CVE-2021-3450
nvd.nist.gov/vuln/detail/CVE-2021-3672
nvd.nist.gov/vuln/detail/CVE-2021-3711
nvd.nist.gov/vuln/detail/CVE-2021-3712
nvd.nist.gov/vuln/detail/CVE-2021-37701
nvd.nist.gov/vuln/detail/CVE-2021-37712
nvd.nist.gov/vuln/detail/CVE-2021-37713
nvd.nist.gov/vuln/detail/CVE-2021-39134
nvd.nist.gov/vuln/detail/CVE-2021-39135
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.industry.siemens.com/cs/ww/en/view/109806100/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20SINEC%20INS+https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09&title=Siemens%20SINEC%20INS
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.oig.dhs.gov/
www.siemens.com/cert/operational-guidelines-industrial-security
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20SINEC%20INS&body=www.cisa.gov/news-events/ics-advisories/icsa-22-069-09
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
97.4%