ICS Advisory

Siemens WinCC TIA Portal Vulnerabilities

Last Revised
Alert Code
ICSA-13-079-03

Overview

This advisory provides mitigation details for a vulnerability that impacts the Siemens WinCC TIA (Totally Integrated Automation) Portal (HMI). Researchers Billy Rios and Terry McCorkle of Cylance; Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, and Ilya Karpov from Positive Technologies; and Shawn Merdinger have identified multiple vulnerabilities in Siemens WinCC TIA Portal. Siemens has produced a new software versiona that mitigates this vulnerability.

These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction. An attacker must use social engineering on a valid user or have user credentials.

No known public exploits specifically target this vulnerability.

Affected Products

Siemens reports that the vulnerabilities affect the following versions:

  • WinCC (TIA Portal) V11 (all versions).

Impact

The vulnerabilities affect the HMI’s Web server and the internal password store. Possible attacks require either physical access to the HMI or an authenticated user, so an attacker must either have valid user credentials or must use social engineering as a legitimate user. In addition, the Web server of the system must be enabled for the Web-based vulnerabilities.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Background

Siemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, transportation, and healthcare sectors.

Siemens WinCC TIA Portal is an HMI software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. It performs the following tasks: process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical.

Vulnerability Characterization

Vulnerability Overview

Insecure Password Storagehttp://cwe.mitre.org/data/definitions/261.html

User credentials for the HMI’s Web application are stored within the HMI’s system. These data are obfuscated in a reversible way and are readable and writable for users with physical access or Sm@rt Server access to the system.

CVE-2011-4515 has been assigned to this vulnerability. A CVSS v2 base score of 4.6 has been assigned; the CVSS vector string is (AV:L/AC:L/Au:N/C:P/I:P/A:P).

Improper Input ValidationCWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed March 20, 2013.

By manipulating HTTP requests, an authenticated attacker may crash the HMI’s Web application. The Web application will become unavailable until the device is restarted.

CVE-2013-0669 has been assigned to this vulnerability. A CVSS v2 base score of 4.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:S/C:N/I:N/A:P).

Cross-Site ScriptingCWE-79: Improper Neutralization of Input During Web Page Generation, http://cwe.mitre.org/data/definitions/79.html , Web site last accessed March 20, 2013.

The HMI’s Web application is susceptible to stored cross-site scripting attacks. An authenticated user may store data on the Web application that will execute malicious JavaScript when the affected page is accessed by other users.

CVE-2013-0672 has been assigned to this vulnerability. A CVSS v2 base score of 4.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:S/C:N/I:P/A:N).

Directory TraversalCWE-425: Direct Request, http://cwe.mitre.org/data/definitions/425.html, Web site last accessed March 20, 2013.

By manipulating the URL an authenticated attacker may have access to source code of the panel’s server-side Web application files, which may include user defined scripts.

CVE-2013-0671 has been assigned to this vulnerability. A CVSS v2 base score of 4.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:S/C:P/I:N/A:N).

HTTP Response SplittingCWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers, http://cwe.mitre.org/data/definitions/113.html , Web site last accessed March 20, 2013.

If a user clicks on a malicious link that seems to lead to an HMI Web application, it is possible to display data to the user (HTTP response splitting). The attacker does not gain access to the file system.

CVE-2013-0670 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Server-Side Script InjectionCWE-79: Improper Neutralization of Input During Web Page Generation, http://cwe.mitre.org/data/definitions/79.html, Web site last accessed March 20, 2013.

If a user clicks on a malicious link that seems to lead to an HMI Web application, it is possible to display data to the user (server-side script injection). The attacker does not gain access to the file system.

CVE-2013-0667 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Reflected Cross-Site ScriptingCWE-79: Improper Neutralization of Input During Web Page Generation, http://cwe.mitre.org/data/definitions/79.html, Web site last accessed March 20, 2013.

The HMI’s Web application is susceptible to reflected cross-site scripting attacks. If a legitimate user clicks on a malicious link, JavaScript code may get executed, and session information may be stolen.

CVE-2013-0668 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Vulnerability Details

Exploitability

These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction. An attacker must use social engineering on a valid user or have user credentials.

Existence of Exploit

No known public exploits specifically target these vulnerabilities.

Difficulty

An attacker with a low to medium skill would be able to exploit these vulnerabilities.

Mitigation

Siemens addressed these vulnerabilities in their security advisory titled “SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11.”v All vulnerabilities are fixed in the new software version WinCC (TIA Portal) V12. As a workaround to close the Web-based vulnerabilities, the HMI’s Web server may be disabled.

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Siemens