Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSec-consult.comPACKETSTORM:144982
HistoryNov 14, 2017 - 12:00 a.m.

Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution

2017-11-1400:00:00
sec-consult.com
packetstormsecurity.com
62

0.011 Low

EPSS

Percentile

84.7%

JSON
`SEC Consult Vulnerability Lab Security Advisory < 20171114-0 >  
=======================================================================  
title: Authentication bypass, cross-site scripting & code  
execution  
product: Siemens SICAM RTUs SM-2556 COM Modules  
(firmware variants ENOS00, ERAC00, ETA2, ETLS00,  
MODi00 and DNPi00  
vulnerable version: FW 1549 Revision 07  
fixed version: none, see Workaround section below  
CVE number: CVE-2017-12737 (authentication bypass)  
CVE-2017-12738 (XSS)  
CVE-2017-12739 (web server)  
impact: critical  
homepage: www.siemens.com  
found: 2017-08-17  
by: SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Siemens is a global powerhouse focusing on the areas of electrification,  
automation and digitalization. One of the world's largest producers of  
energy-efficient, resource-saving technologies, Siemens is a leading supplier  
of systems for power generation and transmission as well as medical diagnosis."  
  
Source: https://www.siemens.com/global/en/home/company/about.html  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends not to use this device in production until a thorough  
security review has been performed by security professionals and all  
identified issues have been resolved. The device must not be accessible from  
untrusted networks.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Authentication Bypass (client-side "authentication" enforcement)  
The web interface (TCP port 80) suffers from an authentication bypass  
vulnerability that allows unauthenticated attackers to access arbitray  
functionality and information (i.e. password lists) available through  
the webserver.  
  
  
2) Reflected Cross-Site Scripting  
The web interface provides a "ping" functionality. This form is  
vulnerable to reflected cross-site-scripting because of missing input  
handling and output encoding.  
  
  
3) Outdated Webserver (GoAhead)  
The used webserver version contains known weaknesses.  
  
  
Proof of concept:  
-----------------  
1) Authentication Bypass  
Use a browser which has JavaScript disabled ("Authentication" checks are  
performed client-side) and open legitimate URLs directly.  
  
Examples:  
http://<hostname>/start.asp  
http://<hostname>/pwliste.asp  
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100  
  
  
2) Reflected Cross-Site Scripting  
All parameters in "webforms_ping" are vulnerable to reflected XSS:  
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1  
  
  
3) Outdated Webserver  
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)  
This version has known vulnerabilities:  
  
http://aluigi.altervista.org/adv/goahead-adv3.txt  
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,  
ETA2, ETLS00, MODi00 and DNPi00  
(FW 1549 Revision 07)  
  
  
Vendor contact timeline:  
------------------------  
2017-09-25: Encrypted advisory sent to Siemens ProductCERT  
2017-10-02: Requesting status update.  
2017-10-09: Vendor states that the "affected device is out of service"  
and provides workaround (disable webserver). They are  
"still assessing the next steps".  
2017-11-02: Requesting status update.  
2017-11-06: Siemens ProductCERT will reach out to development team and keep us  
posted.  
2017-11-08: Siemens ProductCERT prepares advisory.  
2017-11-08: Asking about planned release date.  
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)  
2017-11-14: Coordinated public release.  
  
  
Solution:  
---------  
No firmware update is available as the device is no longer supported by  
the vendor.  
  
  
Workaround:  
-----------  
According to the vendor the webserver can be disabled to mitigate all  
the vulnerabilities documented in this advisory.  
The webserver is optional and only used for commissioning and debugging  
purposes.  
  
The vendor published the following document for further information:  
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
  
EOF SEC Consult Vulnerability Lab / @2017  
  
`

Related

zdt 1
ics 1
prion 3
cvelist 3
nvd 3
cve 3
zdt
zdt
Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution Vulnerabilities
2017-11-15 00:00:00
ics
ics
Siemens SICAM
2017-11-16 12:00:00
prion
prion
Cross site scripting
2017-11-15 08:29:00
Code injection
2017-11-15 08:29:00
Design/Logic Flaw
2017-11-15 08:29:00
cvelist
cvelist
CVE-2017-12738
2017-11-15 08:00:00
CVE-2017-12737
2017-11-15 08:00:00
CVE-2017-12739
2017-11-15 08:00:00
nvd
nvd
CVE-2017-12738
2017-11-15 08:29:00
CVE-2017-12739
2017-11-15 08:29:00
CVE-2017-12737
2017-11-15 08:29:00
cve
cve
CVE-2017-12738
2017-11-15 08:29:00
CVE-2017-12737
2017-11-15 08:29:00
CVE-2017-12739
2017-11-15 08:29:00

0.011 Low

EPSS

Percentile

84.7%

JSON
Related for PACKETSTORM:144982
zdt1ics1prion3cvelist3nvd3cve3