Rash of security vulnerabilities found in Siemens equipment deployed across critical infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) revealed Tuesday the presence of several security vulnerabilities in Siemens equipment deployed across multiple critical infrastructure sectors.

CISA warned users of Siemens’ JT2Go and Teamcenter Visualization equipment of the detection of security vulnerabilities that allow ‘use after free,’ ‘out-of-bounds write,’ ‘out-of-bounds read,’ and ‘NULL pointer dereference.’ The exploitation of these flaws could allow an attacker to crash an application or execute arbitrary code. The Siemens products affected include all versions of JT2Go prior to v13.2.0.1 and all versions of Teamcenter Visualization prior to v13.2.0.1.

Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative, Kai Wang from Codesafe Team of Legendsec at Qi’anxin Group, and Open Design Alliance reported these vulnerabilities to CISA. Siemens released updates for the JT2Go, and users were advised to update to v13.2.0.1 or later, and for the Teamcenter Visualization, updating to v13.2.0.1 or later (login required) would mitigate risks. It is also recommended that users avoid opening untrusted files from unknown sources in JT2Go and Teamcenter Visualization.

Siemens equipment, Automation License Manager, has been found to contain an ‘uncontrolled resource consumption’ vulnerability that when breached could cause a denial-of-service condition, preventing legitimate users from accessing the system. The flaw could enable sending specially crafted packets to Port 4410/TCP of an affected system, leading to extensive memory consumption and a denial-of-service condition, preventing legitimate users from accessing the system. 

All versions of the Automation License Manager 5, and all versions of the Automation License Manager 6 prior to v6.0 SP9 Update 2 are affected. Siemens reported this vulnerability to CISA, and recommended that users update to v6.0 SP9 Update 2 or later of Automation License Manager 6.

Siemens equipment, SINEC NMS, was also found to contain an ‘OS Command Injection’ vulnerability, which when exploited could allow an authenticated remote hacker with system privileges to execute arbitrary code on the system under certain conditions. The affected application incorrectly neutralizes special elements when creating batch operations, which could lead to command injection. An authenticated remote attacker with administrative privileges could exploit this vulnerability to execute arbitrary code. All versions of SINEC NMS prior to v1.0 SP2 have been affected. 

Noam Moshe from Claroty reported this vulnerability to CISA. Siemens released updates for the SINEC NMS, and users were advised to update to v1.0 SP2 or later version. 

Siemens also reported to the CISA identification of ‘missing encryption of sensitive data’ vulnerability in its SIMATIC and SINUMERIK equipment. Exploitation could lead to unauthorized access to sensitive data, privilege escalation, and configuration change. 

The German conglomerate recommended users update to the latest software version of SIMATIC IPC627E by updating BIOS to v25.02.10, SIMATIC IPC647E updating BIOS to v25.02.10, SIMATIC IPC677E updating BIOS to v25.02.10, and SIMATIC IPC847E updating the BIOS to v25.02.10.

Used in multiple critical infrastructure sectors, Siemens equipment SGT was found to contain an ‘out-of-bounds write’ vulnerability that could lead to remote code execution. A DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks v6.5 through v7. A CVSS v3 base score of 9.8 has been calculated. Siemens reported to CISA that these products are affected by the vulnerability when using some third-party components.

Updates are for affected Rockwell Automation / Allen Bradley components in use within Siemens products. Rockwell Security Advisory PN1564 (login required) was issued for affected parts and software/firmware updates. Some updates may not be compatible with other components in the system. 

Siemens equipment SIMATIC has been found to contain ‘out-of-bounds read’ and ‘use after free’ vulnerabilities that could allow a remote attacker to access sensitive information and execute arbitrary code.

The affected Siemens products include all versions prior to v3.0 of the SIMATIC NET CP 1543-1 including SIPLUS NET variants, and all versions of the SIMATIC NET CP 1545-1. Siemens reported these vulnerabilities to CISA, and recommended that users update to the v3.0 or later of the SIMATIC NET CP 1543-1, including SIPLUS NET variants. 

Solid Edge, which is Siemens equipment used in the critical manufacturing sector, has been found to contain ‘improper restriction of XML external entity reference,’ ‘use after free,’ and ‘access of uninitialized pointer’ vulnerabilities. Currently affecting all versions of Solid Edge SE2021 prior to SE2021MP7. These security vulnerabilities could lead the application to crash, or to arbitrary code execution and data extraction on the target host system.

Xina1i, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA. Siemens has released updates for Solid Edge SE2021 products by updating to SE2021MP7 or later version. Users were also advised to reduce risk by avoiding open files from unknown sources in Solid Edge.

Siemens SIMATIC S7-1200 devices were found to contain the improper authentication vulnerability, which could allow an attacker using TIA Portal v17 or later versions to bypass authentication and download arbitrary programs to the PLC. The affected devices fail to authenticate against configured passwords when provisioned using TIA Portal v13. This could allow an attacker using TIA Portal v17 or later versions to bypass authentication and download arbitrary programs to the PLC. The vulnerability does not occur when TIA Portal v13 SP1 or later version was used to provision the device.

A CVSS v3 base score of 8.1 has been calculated. Jian Gao reported this vulnerability to Siemens. The company released updates for the S7-1200 CPU family including SIPLUS variants with updates to v4.5.1 or later versions becoming available. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.