Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution Vulnerabilities

🗓️ 15 Nov 2017 00:00:00Reported by sec-consultType 
zdt
 zdt🔗 0day.today👁 72 Views

Siemens SICAM RTUs SM-2556 COM Modules Authentication Bypass, XSS, Code Execution Vulnerabilitie

Related
Code
=======================================================================
              title: Authentication bypass, cross-site scripting & code
                     execution
            product: Siemens SICAM RTUs SM-2556 COM Modules
                     (firmware variants ENOS00, ERAC00, ETA2, ETLS00,
                     MODi00 and DNPi00
 vulnerable version: FW 1549 Revision 07
      fixed version: none, see Workaround section below
         CVE number: CVE-2017-12737 (authentication bypass)
                     CVE-2017-12738 (XSS)
                     CVE-2017-12739 (web server)
             impact: critical
           homepage: www.siemens.com
              found: 2017-08-17
                 by: SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Siemens is a global powerhouse focusing on the areas of electrification,
automation and digitalization. One of the world's largest producers of
energy-efficient, resource-saving technologies, Siemens is a leading supplier
of systems for power generation and transmission as well as medical diagnosis."

Source: https://www.siemens.com/global/en/home/company/about.html


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved. The device must not be accessible from
untrusted networks.


Vulnerability overview/description:
-----------------------------------
1) Authentication Bypass (client-side "authentication" enforcement)
The web interface (TCP port 80) suffers from an authentication bypass
vulnerability that allows unauthenticated attackers to access arbitray
functionality and information (i.e. password lists) available through
the webserver.


2) Reflected Cross-Site Scripting
The web interface provides a "ping" functionality. This form is
vulnerable to reflected cross-site-scripting because of missing input
handling and output encoding.


3) Outdated Webserver (GoAhead)
The used webserver version contains known weaknesses.


Proof of concept:
-----------------
1) Authentication Bypass
Use a browser which has JavaScript disabled  ("Authentication" checks are
performed client-side) and open legitimate URLs directly.

Examples:
http://<hostname>/start.asp
http://<hostname>/pwliste.asp
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100


2) Reflected Cross-Site Scripting
All parameters in "webforms_ping" are vulnerable to reflected XSS:
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1


3) Outdated Webserver
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)
This version has known vulnerabilities:

http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp



Vulnerable / tested versions:
-----------------------------
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,
ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)


Vendor contact timeline:
------------------------
2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the "affected device is out of service"
            and provides workaround (disable webserver). They are
            "still assessing the next steps".
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us
            posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.


Solution:
---------
No firmware update is available as the device is no longer supported by
the vendor.


#  0day.today [2018-02-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Nov 2017 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.0314
siemens sicam rtussm-2556 com modulesauthentication bypasscross-site scriptingcode executionfirmware variantscve-2017-12737cve-2017-12738cve-2017-12739critical impactoutdated webserversec consultvulnerability labsecurity reviewuntrusted networks
72