ICS Advisory

Siemens FactoryLink Multiple ActiveX Vulnerabilities

Last Revised
Alert Code
ICSA-11-343-01

Overview

ICS-CERT originally released Advisory ICSA-11-343-01P on the US-CERT secure portal on December 09, 2011. This web page release was delayed to allow users time to download and install the update.

Researcher Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center (ICST) has identified two vulnerabilities affecting ActiveX components in the Siemens Tecnomatix FactoryLink application. The report included buffer overflow and data corruption vulnerabilities.http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055

ICS-CERT has coordinated with Siemens; Siemens has released a patch that addresses the identified vulnerabilities. ICS-CERT has confirmed that the Siemens patch resolves the reported vulnerabilities.

Affected Products

The following Siemens Tecnomatix FactoryLink versions are affected:

  • V8.0.2.54
  • V7.5.217 (V7.5 SP2)
  • V6.6.1 (V6.6 SP1).

Impact

Successful exploitation of the reported vulnerabilities could allow an attacker to perform malicious activities including denial of service and arbitrary code execution.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

Background

Siemens Tecnomatix FactoryLink software is used for monitoring and controlling industrial processes. FactoryLink is used to build applications such as human-machine interface systems.

FactoryLink is implemented across a variety of industrial processes including oil and gas, chemicals, food and beverage, and building automation.

Siemens has announced that FactoryLink is now considered a mature product and will not offer FactoryLink after December 2012.Important Information for Siemens FactoryLink Customers. (July 2007) Retrieved November 21, 2011, from FactoryLink Supervisory Control and Data Acquisition: Siemens PLM Software: http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml, website last accessed January 04, 2012.

Mitigation

Vulnerability Characterization

Buffer Overflow Vulnerability Overview

This vulnerability is exploited by inputting a long string to a specific parameter causing a buffer overflow that could allow the execution of arbitrary code.

CVE-2011-4055 has been assigned to this vulnerability. Siemens’ assessment of the vulnerability using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 7.7.

Vulnerability Details

Exploitability

This vulnerability is remotely exploitable. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit.

Existence of Exploit

No publicly known exploits specifically target this vulnerability.

Difficulty

An attacker with moderate skill level could exploit this vulnerability. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit.

Data Corruption Vulnerability Overview

This vulnerability is exploited by inputting arbitrary data, causing a file save to any specified location on the target system.

CVE-2011-4056e has been assigned to this vulnerability. Siemens’ assessment of the vulnerability using the CVSSf Version 2.0 calculator rates an Overall CVSS Score of 7.7.

Exploitability

This vulnerability is remotely exploitable. Social engineering may be required to execute a remote exploit via a manipulated file or web page.

Existence of Exploit

No publicly known exploits specifically target this vulnerability.

Difficulty

An attacker with moderate skill level could exploit the vulnerabilities.

Mitigation

Siemens has released a patch to its customers to address these vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should deploy the Siemens patch available at: http://www.usdata.com/sea/factorylink/en/p_nav5.asp

For more information, please see Siemens’ Security Advisory announcement.

In addition to the patch released by Siemens, Microsoft has released a kill bit to address the ActiveX vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should install the Microsoft update referenced in the Microsoft Security Advisory 2562937.

ICS-CERT encourages asset owners to take the following additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in e-mail messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Siemens