14 DAY TRIAL // A set of four vulnerabilities have been patched in Simatic Step 7, which could allow a potential attacker the possibility to learn user passwords, escalate privileges or intercept industrial communication.
Simatic Step is an automation system from Siemens that allows the creation of programmable logic control programs used in industrial production. It can also be used to program standard computers equipped with WinAC RTX.
Privilege escalation for TIA project files
One of the glitches, identified as CVE-2015-1355, refers to poor protection of the user passwords on the device, due to use of a weak hashing algorithm.
According to a security advisory from the company, an attacker with read access to the project file would be able to reconstruct the user log-in passwords.
The same bulletin informs that another vulnerability, tracked as CVE-2015-1356, permits modification of the permissions users have for TIA (totally integrated automation) project files. Siemens says that for the privileges to become active a user needs to be tricked into downloading the project file.
Both of these security flaws have a low severity score as per the Common Vulnerability Scoring System (CVSS), 2.1 and 2.6, respectively.
Risk intercepting industrial communication
However, in an advisory published on Tuesday, Siemens reported a more severe fault (CVE-2015-1601) that could allow hijacking and altering industrial communication on TCP port 102.
An attacker that has access to the network path could resort to the man-in-the-middle technique to interpose between the client and the server in order to achieve their goal. The CVSS base score for this one is 5.8.
The fourth vulnerability (CVE-2015-1602) patched by Siemens is once again related to the TIA project files and passwords. By leveraging the glitch, the attacker would be able to discover “protection-level passwords or web server passwords,” the company says.
None of the flaws currently patched by Siemens with the release of Update 1 for Simatic Step 7 v13 SP1 can be exploited remotely and the threat actor must already have local access to the TIA project files or to the network path between the client and the server.
The general recommendation is to protect access to the network through segmentation (firewalls, DMZs, VPN access), physical security and ensuring system integrity by implementing security mechanisms for safe access to the systems in the network.