14 DAY TRIAL // Siemens has released an update for its WinCC software, which fixes two previous vulnerabilities that would allow a potential attacker to execute code or extract data from the industrial control systems that integrate the component.
The glitches have been known to the vendor since November 2014, when a patch was released that mitigated the risk only in some of the affected products. At that time, it was believed that exploits were already available in the wild since one of them had been employed in a malicious campaign.
Attackers could execute code remotely
Tracked as CVE-2014-8551, one of the vulnerabilities allows a remote attacker the possibility to execute arbitrary code without the need to be authenticated. The attack could be carried out by sending specially crafted packets to the WinCC server.
It received the top severity score as per the Common Vulnerability Scoring System (CVSS) because even a low skilled attacker could take advantage of it.
The other flaw, identified as CVE-2014-8552, is less critical in nature but its importance should not be overlooked one bit. It resides in a component in WinCC that would allow a threat actor to extract any file from the WinCC server by delivering a maliciously crafted packet.
The products affected by the two vulnerabilities are SIMATIC WinCC (7.0 SP3, 7.2 update 9 and 7.3 update 2, including earlier releases), SIMATIC PCS 7 (7.1 SP4, 8.0 SP2 8.1, including previous versions that integrate vulnerable WinCC) and TIA Portal 13 Update 6 and earlier revisions.
Mitigation steps provided until patch can be applied
Applying the update is of utmost importance since WinCC functions in industrial control systems, which are used in critical sectors such as energy, chemical facilities, oil, gas and water.
However, if updating cannot be done at the moment, Siemens recommends a few mitigating solutions in an updated advisory released to the public on Monday.
Administrators should make sure that the WinCC server and the engineering stations are part of a trusted network and can only be accessed by trusted entities. Communication between the server and the stations should be encrypted either through the built-in feature or via a VPN (virtual private network) solution.