14 DAY TRIAL // A total of three vulnerabilities have been removed by Siemens from the iOS version of SIMATIC WinCC Sm@rtClient, mitigating the risk of a potential attacker to extract access credentials under certain conditions.
SIMATIC WinCC Sm@rtClient, along with the Sm@rtServer solution, has been designed as an easy way to control from a mobile device the SIMATIC HMI (human machine interface) used for managing Industrial Control Systems (ICS).
The current update released by Siemens is available from Apple Store and addresses security flaws that affect all versions of the client lower than 1.0.2, including the Lite edition.
All three glitches have received a CVSS base score of 4.6 and an overall score of 3.6. One of them, identified as CVE-2014-5231, refers to the way the application password was stored, which created the possibility to extract the sensitive information if local access was gained.
Another one, tracked as CVE-2014-5232, consists in the fact that the user would not be prompted to re-enter the password if the app was resumed from the background.
In the third case (CVE-2014-5233), an individual could be able to extract the credentials from the Sm@rtServer part of the app.
It is worth noting that local access is required for someone to take advantage of any of the three flaws. Users are advised to install the latest versions of the app in order to mitigate the security risks.
