Siemens Patches Five Vulnerabilities in SIMATIC WinCC for PCS 7

Type threatpost
Reporter Chris Brook
Modified 2014-10-14T18:40:18


Siemens has patched five vulnerabilities in its SIMATIC PCS 7 system that could result in privilege escalation and give an attacker unauthenticated access to sensitive data.

The flaws technically exist in WinCC, a SCADA (supervisory control and data acquisition) and HMI (human-machine interface) system that is usually integrated into the SIMATIC environment.

Siemens patched the WinCC bugs in July with V7.3, but this is the first time the bugs have been addressed as they pertain to the PCS 7 system. The company held off on remedying the vulnerabilities until they pushed the latest version (V8.1) of the distributed control system this week.

According to a security advisory updated by Siemens today, by far the most troublesome of the five vulnerabilities relates to a hard-coded encryption key that could have allowed privilege escalation in the WinCC Project administration application. Remote attackers could have obtained sensitive information by extracting this key from another product installation and using it during the sniffing of network traffic on TCP port 1030.

Two other problems stem from WinCC’s WebNavigator server. The way it’s implemented at port 80/TCP and port 443/TCP could allow unauthenticated access to sensitive data if it’s hit with a special HTTP request (CVE-2014-4682), or allow remote authenticated users to escalate their privileges (CVE-2014-4683).

Other vulnerabilities involving WinCC’s database server (CVE-2014-4684) and the way it handles access permissions (CVE-2014-4685) also affected the system.

Researchers Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies discovered and coordinated the disclosure of all but one of the vulnerabilities.

Siemens released a handful of mitigations when it initially patched WinCC back in July for those running it on PCS 7 to follow until it released a patch for the issues this week. If for some reason users can’t patch their systems immediately, most of, if not all of those should still ring true.