14 DAY TRIAL // Multiple serious security risks have been eliminated by Siemens from SIMATIC PCS7, which integrated a vulnerable version of the WinCC administration application; the most severe of the glitches allows a potential attacker with access to the server the possibility of escalating privileges.
An update to version 8.1 for SIMATIC PCS7 distribution control system was released by the company on Tuesday, removing a set of five vulnerabilities.
The security flaws affect WinCC, which received an update with a fix back in July, but SIMATIC PCS7 could not benefit from the patched release at the time.
Unauthorized privilege escalation patched
The worst of the glitches is identified as CVE-2014-4686 and consists in leveraging a hard-coded encryption key to gain higher-level privileges on the system. This would be possible if an attacker captured network communication of a legitimate user on TCP port 1030.
An additional two privilege escalation bugs, tracked as CVE-2014-4684 and CVE-2014-4683, have been patched. In both cases, user authentication is required.
On the other hand, sensitive information could be accessed without authentication through WinCC Web Navigator by sending certain HTTP requests to TCP ports 80 and 443. The security flaw leveraged in this case would be CVE-2014-4682.
The security advisory from Siemens also makes reference to another flaw, identified as CVE-2014-4685, which has a severity score of 4.6, the lowest of all; this does not make it less significant, though.
According to the information from the company, it allows a local user with access permissions on system objects to achieve limited-privilege escalation within the operating system.
Some mitigation measures can be applied permanently
Since in July Siemens could not perform an update on the WinCC version present in SIMATIC PCS7, the company issued a number of mitigation techniques at the time.
These included limiting access to WebNavigator only to trusted networks and clients, making sure that the necessary mechanism for validating the clients was in place and worked properly, restricting access to the WinCC database server at Port 1433/TCP to trusted entities, ensuring encrypted communication channels to WinCC server, and disabling any operating systems that are not required on the WinCC server.
At the time, ICS-CERT also issued some recommendations, which should be adopted on a permanent basis, not just when new vulnerabilities are discovered, since they simply reduce the risk of an unauthorized individual to gain access to the systems or obtain restricted information.
On the list of best practices are minimizing the network exposure of the control system devices and using secure methods for remote access, such as Virtual Private Networks (VPN).