KLA10394 Multiple vulnerabilities in Siemens

Multiple critical vulnerabilities have been found in Siemens products. Malicious users can exploit these vulnerabilities to read & modify arbitrary files, cause denial of service, execute arbitrary code, bypass authentication, obtain access and inject arbitrary HTTP headers. Below is a complete list of vulnerabilities

1. A directory traversal vulnerability can be exploited remotely via a specially designed request;
2. Vectors related to HmiLoad can be exploited remotely via specially designed TCP data;
3. A buffer overflow can be exploited remotely via vectors related to unicode strings;
4. Improper URI handling can be exploited remotely via a specially designed POST request;
5. Predictable auth tokens can be exploited remotely via specially designed cookies;
6. Weak default passwords can be exploited remotely via brute-force;
7. Lack of authentication in the TELNET daemon can be exploited remotely via TCP sessions;
8. An XSS vulnerability can be exploited remotely;
9. Vectors related to the HMI web-server and runtime loader can be exploited remotely;
10. A CRLF vulnerability can be exploited remotely.

Original advisories

Siemens bulletin

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

WinCC-flexible

Simatic-HMI-Panels

CVE list

CVE-2011-4878 high

CVE-2011-4875 critical

CVE-2011-4877 high

CVE-2011-4876 critical

CVE-2011-4508 critical

CVE-2011-4879 high

CVE-2011-4510 warning

CVE-2011-4511 warning

CVE-2011-4514 critical

CVE-2011-4509 critical

CVE-2011-4512 warning

CVE-2011-4513 critical

Solution

Update to latest version

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• CI

Code injection. Exploitation of vulnerabilities with this impact can lead to changes in target code.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• WLF

Write Local Files. Exploitation of vulnerabilities with this impact can lead to writing into some inaccessible files. Files that can be read depends on concrete program errors.

• RLF

Read Local Files. Exploitation of vulnerabilities with this impact can lead to reading some inaccessible files. Files that can be read depends on conсrete program errors.

Affected Products

• Siemens WinCC flexible versions 2004, 2005, 2007 and 2008 earlier than SP 3Siemens WinCC, WinCC Runtime Advanced version 11Siemens Simatic HMI Panels TP, OP, MP, Comfort, MobileSiemens WinCC flexible Runtime