U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-12-030-01A)

Siemens SIMATIC WinCC Vulnerabilities (UPDATE A)

Original release date: April 18, 2012 | Last revised: February 14, 2014

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

This advisory is a follow-up to a previous advisory titled “ICSA-11-356-01 – Siemens HMI Authentication Vulnerabilities” that was published December 22, 2011, and an alert titled "ICS-ALERT-11-332-02A – Siemens SIMATIC WinCC Flexible Vulnerabilities" that was published December 2, 2011.

ICS-CERT has received reports from independent security researchers Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma detailing several vulnerabilities in Siemens SIMATIC WinCC Human-Machine Interface (HMI) application. ICS-CERT has coordinated with these researchers and Siemens to validate these vulnerabilities and include mitigation strategies in the latest Siemens service packs.a

Affected Products

According to Siemens, the following software packages are vulnerable:

  • WinCC flexible versions 2004, 2005, 2007, 2008
  • WinCC V11 (TIA portal)
  • Multiple SIMATIC HMI panels (TP, OP, MP, Comfort Panels, Mobile Panels)
  • WinCC V11 Runtime Advanced
  • WinCC flexible Runtime.

The following related products are not affected:

  • WinCC V11 (TIA Portal) Basic
  • WinCC V11 (TIA Portal) Runtime Professional
  • WinCC V6.x and V7.x.

Impact

Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Background

Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. SIMATIC HMI performs the following tasks: process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical.

Vulnerability Characterization

Vulnerability Overview

Insecure Authentication Token Generationb

When a user (or administrator) logs on, the application sets predictable authentication token/cookie values. This can allow an attacker to bypass authentication checks and escalate privileges.

CVE-2011-4508 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0c calculator rates a CVSS Base Score of 9.3.

Weak Default Passwordsd

The default administrator password is weak and easily brute forced. Siemens has changed the documentation to encourage users to change the password at first login.

CVE-2011-4509 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

Cross-Site Scripting Vulnerabilitye

SIMATIC HMI Smart Options web server is vulnerable to two separate cross-site scripting attacks that may allow elevation of privileges, data theft, or service disruption.

CVE-2011-4510 and CVE-2011-4511 have been assigned to these vulnerabilities. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.

Header Injection Vulnerabilityf

The HMI web server is vulnerable to header injection that may allow elevation of privileges, data theft, or service disruption.

CVE-2011-4512 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 4.3.

Client-Side Attack via Specially Crafted Filesg

This vulnerability can allow an attacker to execute arbitrary code via specially crafted project files. This may require social engineering to get the operator to download the files and execute them.

CVE-2011-4513 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

Lack of Telnet Daemon Authenticationh

SIMATIC panels include a telnet daemon by default; however, the daemon does not include any authentication functions.

CVE-2011-4514 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSSVersion 2.0 calculator rates a CVSS Base Score of 10.0.

String Stack Overflowi

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate the length of data segments and Unicode strings, which may cause a stack overflow. This vulnerability may lead to remote code execution.

CVE-2011-4875 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

Directory Traversalj

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not properly validate incoming strings. This allows an attacker full access (read, write, and execute) to any file within the file system.

CVE-2011-4876u has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 9.3.

Denials of Servicek

The runtime loader listens on Ports 2308/TCP or 50523/TCP while transfer mode is activated but does not sufficiently validate incoming data. Multiple vulnerabilities allow a denial-of-service (DoS) attack, which leads to a program crash.

CVE-2011-4877 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.1.

Directory Traversall

The HMI web server does not properly validate URLs within HTTP requests on Ports 80/TCP and 443/TCP. By manipulating URLs with encoded backslashes, directory traversal is possible. This allows an attacker read access for all files within the file system.

CVE-2011-4878 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 7.8.

Arbitrary Memory Read Accessm

The HMI web server does not properly validate HTTP requests. By manipulating the first byte within a URL, the server switches to a special interpretation of the URL. This allows an attacker to read the application process memory and perform a DoS attack by specifying invalid memory locations.

CVE-2011-4879 has been assigned to this vulnerability. Siemens’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 8.5.

Vulnerability Details

Exploitability

An attacker would need user interaction to exploit vulnerability #5.

The remaining vulnerabilities can be exploited remotely.

Existence of Exploit

Publicly available exploits are known to specifically target vulnerabilities #1, #2, and #7 through #11.

No known publicly available exploits specifically target vulnerabilities #3 through #6.

Difficulty

These vulnerabilities would be very simple for a skilled attacker to exploit.

Exploiting vulnerability #5 requires social engineering to convince the user to accept and load the malformed file. This decreases the likelihood of a successful exploit.

Mitigation

Each of the reported vulnerabilities has been addressed by Siemens, as follows:

  • Insecure authentication token generation (#1), cross-site scripting (#3), header injection vulnerability (#4), HMI web server directory traversal (#10), and arbitrary memory read access vulnerabilities (#11).
    • Patches are included in Siemens’ WinCC V11 (TIA Portal) SP2 Update 1n oand WinCC flexible 2008 SP3.p
  • Weak default passwords (#2).
    • Product documentation contained in WinCC V11 (TIA Portal) SP2 Update 1, and WinCC flexible 2008 SP3 has been updated to tell the user how to set a proper password during initial setup.
  • Client-side attack via specially crafted files (#5), runtime loader string stack overflow (#7), runtime loader directory traversal (#8), runtime loader DoS (#9).
    • Siemens recommends that users deactivate the transfer mode after device configuration, because the transport mode provides full access to the device.ee The transport mode was implemented under the assumption that the software would be running in a protected industrial environment. Siemens strongly recommends that users protect systems according to recommended security practicesqr and configure the environment according to the operational guidelines.

--------- Begin Update A Part 1 of 1 -------- 

  • Lack of telnet daemon authentication (#6).
    • Because telnet is a clear text protocol, customers are advised to be aware of corresponding risks. The telnet daemon is disabled by default in product versions WinCC flexible 2008 SP3 and newer, as well as WinCC V11 (TIA Portal) SP2 and newer. Siemens recommends disabling the telnet function on SIMATIC panels when telnet is not actively being used.

ICS-CERT tested WinCC V11 (TIA Portal) SP2 Update 1hh,s and WinCC flexible 2008 SP3t

  • Insecure authentication token generation (#1) and found that it successfully resolves the following vulnerabilities:
  • Cross-site scripting (#3)
  • Header injection vulnerability (#4)
  • HMI web server directory traversal (#10)
  • Arbitrary memory read access vulnerabilities (#11).

The remaining vulnerabilities are addressed in documentation and a new FAQ entry on Siemens website. If unable to implement these changes, product users should contact their integrator or Siemens product support for assistance.

--------- End Update A Part 1 of 1 ----------

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in e-mail messages.
  2. Refer to Recognizing and Avoiding Email Scams  for more information on avoiding e-mail scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top