14 DAY TRIAL // A batch of five security vulnerabilities discovered in Siemens’ SIMATIC industrial automation system, four of them presenting remote exploitation risk, have been patched by the company through a software update.
An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) explains that the flaws reside in the SIMATIC WinCC product, which is a SCADA (supervisory control and data acquisition) system.
Four of the five vulnerabilities could be exploited remotely by an attacker, but only three of them provide the possibility of privilege escalation this way; they are now identified as CVE-2014-4683, CVE-2014-4684, CVE-2014-4686.
Another one that can be leveraged for higher privilege has been identified as CVE-2014-4685 and requires local access to the system.
It is worth mentioning that in the case of CVE-2014-4686, higher privilege could be obtained by capturing a hard-coded cryptographic key from the network communication of a legitimate user on TCP port 1030.
Unauthenticated access to sensitive data with specially crafted HTTP requests is another glitch discovered, and it has been designated CVE-2014-4682.
All versions of SIMATIC WinCC are affected, except build 7.3, which has been recently released by Siemens specifically to address the vulnerabilities; it can be ordered through the customer support website.
Since SIMATIC PCS7 integrates WinCC, it is also affected by the glitches, but in this case customers have to wait a few months for version 8.1 containing the patches to be released.
In the meantime, they can take some measures to mitigate the risk, such as allowing access to the WebNavigator server only to trusted networks and clients, ensure proper authentication (client certificates), restrict access to the WinCC database server at Port 1433/TCP to trusted entities, and make sure that communication between clients and servers is carried out in a secure manner.
The ICS-CERT advisory page provides a set of measures that can be applied by asset owners in order to mitigate cyber security risks in general. These are on the same line as those offered by Siemens to prevent compromise of SIMATIC PCS7:
“- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. - Locate control system networks and remote devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”