Many security vulnerabilities detected in Siemens hardware used in critical infrastructure industry

The Cybersecurity and Infrastructure Security Agency (CISA) announced on Tuesday the identification of various security loopholes in equipment from Siemens, predominantly used in the critical infrastructure industry across multiple industries, which can be exploited by hackers.

CISA notified users of the presence of an incorrect authorization vulnerability in Siemens SIMATIC and TIM equipment, usually deployed across the critical infrastructure industry. The exploitation of this vulnerability allows an unauthenticated attacker to read PLC variables from affected devices without proper authentication under certain circumstances.

The affected Siemens products include all versions before v2.9.2 of the SIMATIC Drive Controller family, all versions before v2.9.2, and all versions earlier to v21.9 of the SIMATIC ET 200SP Open Controller CPU 1515SP PC2 including SIPLUS variants. The CISA advisory also detected that all versions higher than v2 and before v4 of the SIMATIC S7 PLCSIM Advanced were affected. 

In addition, SIMATIC S7-1200 CPU products, including SIPLUS variants Version 4.4, all versions higher than v2.5 and before v2.9.2 of the SIMATIC S7-1500 CPU line, including related ET200 CPUs, and SIPLUS variants, all versions higher than v2.5 of the SIMATIC S7-1500 software controller, and TIM 1531 IRC, including SIPLUS NET variants Version 2.1 has been affected. Users have been advised to update to the latest versions of the software to mitigate threats.

Two vulnerabilities – incorrect calculation of buffer size and improper certificate validation – have been found in Siemens’ LOGO! CMR2020, LOGO! CMR2040 and SIMATIC RTU 3000 hardware. The exploitation of these vulnerabilities could allow an attacker with access to any of the interfaces of an affected device to impact the availability or to communicate with invalid certificates.

All versions prior to v2.2 of LOGO! CMR2020 and LOGO! CMR2040 has also been affected, along with all versions of the SIMATIC RTU 3000 line, CISA said in its advisory. Users have been advised to update to the latest versions to mitigate risks. 

Deployed in the critical manufacturing sector, Siemens SINEMA Remote Connect Server hardware has been found to contain modification of assumed-immutable data, improper access control, exposure of sensitive information to an unauthorized attacker, and improper control of interaction frequency vulnerabilities. These weaknesses could allow an unauthorized remote attacker to retrieve or manipulate sensitive information from the affected software. In addition, they could also cause a denial-of-service condition in devices controlled by the affected software.

Siemens has released an update for the SINEMA Remote Connect Server and recommends that its users update to v3.0 SP2 or a later version, according to the CISA advisory.

An OS Command Injection vulnerability has been found in Siemens Siveillance OIS equipment, normally found in the critical infrastructure industry, especially commercial and government facilities. The exploitation of this vulnerability could allow a remote unauthenticated attacker to execute code on the affected system with root privileges. 

Siemens has released patches and updates for Siveillance OIS to apply to the products that incorporate the OIS service. Siemens recommends updating the OIS to the latest version v2.5.3 or applying the patch, CISA said in its advisory.

The US security agency, CISA, revealed that security vulnerabilities have been identified in other products used in the critical manufacturing industry, such as Siemens SIMATIC CP 343-1 including SIPLUS variants, SIMATIC CP 343-1 Advanced including SIPLUS variants, SIMATIC CP 343-1 ERPC, SIMATIC CP 343-1 Lean including SIPLUS variants, SIMATIC CP 443-1 including SIPLUS variants, and SIMATIC CP 443-1 Advanced including SIPLUS variants.

The vulnerability has been found to lead to improper restriction of operations within the bounds of a memory buffer, which could allow an attacker to cause the device to become unavailable until the device is restarted. Siemens recommends affected users should limit access to Port 102/TCP to trusted users and systems only.

CISA reported the presence of an authorization bypass through a user-controlled key vulnerability in Siemens’ Industrial Edge Management equipment used across the critical infrastructure industry. Using this exposure, an unauthenticated attacker could change the password of any user in the system resulting in the attacker being able to impersonate any valid user on the affected system. Siemens recommends affected users update to v1.3 or a later version. 

A path traversal vulnerability has been identified in Siemens Teamcenter Active Workspace hardware, used in the critical manufacturing sector. The weakness can allow an attacker to bypass certain restrictions, such as direct access, to access other services within the host.

CISA also announced the existence of the use of insufficiently random values vulnerability in the Siemens LOGO! CMR and SIMATIC RTU 3000 hardware, normally deployed in the energy sector. With the vulnerability, hackers could allow an attacker with network access to the LAN interface of an affected device to hijack an ongoing connection or spoof a new one.

Siemens has identified that users of the LOGO! CMR2020 and CMR2040 can update to v2.2 or later versions to reduce risk, while for users of the SIMATIC RTU 3000 family, Siemens has not identified any additional specific workarounds or mitigations.

An out-of-bounds write vulnerability has also been found in Siemens SIMATIC RFID terminals, which are deployed across the critical infrastructure industry. This vulnerability can allow an attacker to remotely execute code, according to a CISA advisory. Siemens has identified that the use of trusted DNS servers in the internal network, restriction of DNS traffic to this network only through firewalls, and protecting network access to affected devices can help users mitigate risks. 

A classic buffer overflow vulnerability has been found in Siemens SIPROTEC 5 relays equipment, which are used in the energy sector. This security weakness could allow an attacker to cause a denial-of-service condition or trigger remote code execution, CISA said in its advisory.

Michael Messner from Siemens Energy reported these vulnerabilities to Siemens. To help users reduce their risk, Siemens has recommended that users update to v8.80 or later of the SIPROTEC 5 relays with CPU variants CP050, CP100, or CP300. The company also advised that users can block access to Port 4443/TCP, such as with an external firewall.

CISA also released advisories on the presence of security vulnerabilities in Siemens’ Teamcenter Active Workspace, APOGEE and TALON, SIMATIC CP, Simcenter STAR-CCM+ Viewer, and Simcenter Femap. The German company has released mitigations that will help customers reduce their exposure to these security loopholes. 

Last month, Siemens also disclosed the presence of several security vulnerabilities in Siemens equipment deployed across the critical infrastructure industry, including in its JT2Go, Teamcenter Visualization equipment, and Automation License Manager hardware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.