Vulners
Lucene search
Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution Vulnerabilities
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Siemens SICAM RTUs SM-2556 COM Modules Authentication Bypass | 8 May 201900:00 | – | nessus |
| Siemens SICAM RTUs SM-2556 COM Modules XSS | 8 May 201900:00 | – | nessus |
| Siemens SICAM RTUs SM-2556 COM Modules Code Injection | 8 May 201900:00 | – | nessus |
 | The vulnerability in GoAhead’s embedded web server software for the COM-module of SICAM RTUs SM-2556 allows a intruder to execute arbitrary code. | 26 Dec 201700:00 | – | bdu_fstec |
 | SICAM RTU SM-2556 COM Module Information Disclosure Vulnerability | 15 Nov 201700:00 | – | cnvd |
| SICAM RTU SM-2556 COM Module Cross-Site Scripting Vulnerability | 15 Nov 201700:00 | – | cnvd |
| SICAM RTU SM-2556 COM Module Arbitrary Code Execution Vulnerability | 15 Nov 201700:00 | – | cnvd |
 | CVE-2017-12737 | 15 Nov 201708:00 | – | cve |
| CVE-2017-12738 | 15 Nov 201708:00 | – | cve |
| CVE-2017-12739 | 15 Nov 201708:00 | – | cve |
10
=======================================================================
title: Authentication bypass, cross-site scripting & code
execution
product: Siemens SICAM RTUs SM-2556 COM Modules
(firmware variants ENOS00, ERAC00, ETA2, ETLS00,
MODi00 and DNPi00
vulnerable version: FW 1549 Revision 07
fixed version: none, see Workaround section below
CVE number: CVE-2017-12737 (authentication bypass)
CVE-2017-12738 (XSS)
CVE-2017-12739 (web server)
impact: critical
homepage: www.siemens.com
found: 2017-08-17
by: SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Siemens is a global powerhouse focusing on the areas of electrification,
automation and digitalization. One of the world's largest producers of
energy-efficient, resource-saving technologies, Siemens is a leading supplier
of systems for power generation and transmission as well as medical diagnosis."
Source: https://www.siemens.com/global/en/home/company/about.html
Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved. The device must not be accessible from
untrusted networks.
Vulnerability overview/description:
-----------------------------------
1) Authentication Bypass (client-side "authentication" enforcement)
The web interface (TCP port 80) suffers from an authentication bypass
vulnerability that allows unauthenticated attackers to access arbitray
functionality and information (i.e. password lists) available through
the webserver.
2) Reflected Cross-Site Scripting
The web interface provides a "ping" functionality. This form is
vulnerable to reflected cross-site-scripting because of missing input
handling and output encoding.
3) Outdated Webserver (GoAhead)
The used webserver version contains known weaknesses.
Proof of concept:
-----------------
1) Authentication Bypass
Use a browser which has JavaScript disabled ("Authentication" checks are
performed client-side) and open legitimate URLs directly.
Examples:
http://<hostname>/start.asp
http://<hostname>/pwliste.asp
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100
2) Reflected Cross-Site Scripting
All parameters in "webforms_ping" are vulnerable to reflected XSS:
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1
3) Outdated Webserver
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)
This version has known vulnerabilities:
http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
Vulnerable / tested versions:
-----------------------------
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,
ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)
Vendor contact timeline:
------------------------
2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the "affected device is out of service"
and provides workaround (disable webserver). They are
"still assessing the next steps".
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us
posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.
Solution:
---------
No firmware update is available as the device is no longer supported by
the vendor.
# 0day.today [2018-02-16] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Nov 2017 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.0314