14 DAY TRIAL // The US Department of Homeland Security (DHS) Industrial Control System Cyber Emergency Response Team (ICS-CERT) has published an advisory to warn organizations of several vulnerabilities that affect all versions of Siemens WinCC TIA (Totally Integrated Automation) Portal V11.
The security holes – uncovered by Billy Rios and Terry McCorkle of Cylance, and several other researchers – cannot be exploited remotely and they require user interaction.
The list of bugs includes insecure password storage, improper input validation, reflected and persistent cross-site scripting (XSS), HTTP response splitting, server-side script injection, and directory traversal.
All the flaws impact the human-machine interface (HMI).
For the time being, ICS-CER is not aware of any exploits targeting the vulnerabilities. However, since the flaws are not difficult to exploit, customers are advised to update their installations to version 12, in which Siemens has addressed all the issues.