CISA discloses presence of ICS vulnerabilities in various Siemens products, Datakit, Mitsubishi Electric

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued 16 cybersecurity recommendations on Thursday, warning of the presence of ICS (industrial control system) hardware vulnerabilities across various Siemens product lines, Datakit and Mitsubishi Electric. The agency also published an ICS medical advisory covering the presence of vulnerabilities in B. Braun Melsungen. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA said in an advisory that exploitable remotely and low attack complexity vulnerability has been found in B. Braun Melsungen’s Battery Pack SP with Wi-Fi equipment. Deployed across the healthcare and public health sector, CISA revealed that the identified vulnerability enables improper neutralization of directives in dynamically evaluated code. 

“Successful exploitation of this vulnerability could allow a sophisticated and authenticated attacker to compromise the security of the Space communication device Battery Pack SP with Wi-Fi. An attacker could escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution,” the advisory added.

An improper neutralization of directives in dynamically evaluated code vulnerability in the Wi-Fi Battery embedded web server versions L90/U70 and L92/U92 can be used to gain administrative access to the Wi-Fi communication module, the agency revealed. “An authenticated user, having access to both the medical device Wi-Fi network (such as a biomedical engineering staff member) and the specific B. Braun Battery Pack SP with Wi-Fi web server credentials, could gain administrative (root) access on the infusion pump communication module. This could be used as a vector to launch further attacks,” it added.

Tom Johnston, a cyber security consultant, reported this vulnerability to B. Braun, who released software updates to mitigate the reported vulnerabilities. These include Battery pack SP with Wi-Fi: software 053L000093 (global) / 054U000093 (U.S.). It added that facilities in Canada utilizing ‘U versions of the software should follow the U.S. version, while those facilities in Canada utilizing non-U versions should follow the global version. 

The infusion pumps are not directly affected, the advisory added. “However, the interrupted network communication might prevent certain features of the device from functioning properly. Specifically, an impacted device may be unable to receive infusion orders from EMR/PDMS systems, receive a drug library update, or communicate with DoseTrac.”

Deployed across multiple critical infrastructure sectors, CISA reported that Siemens’ Adaptec maxView application includes a security loophole that exposes sensitive information to an unauthorized actor. “Successful exploitation of this vulnerability could allow a local attacker to decrypt intercepted local traffic between the browser and the application. A local attacker could perform a machine-in-the-middle attack to modify data in transit,” the advisory added.

The Adaptec maxView application uses a non-unique TLS certificate across installations to protect communication from the local browser to the local application on affected Siemens devices. A local attacker could use this key to decrypt intercepted local traffic between the browser and the application and could perform a machine-in-the-middle attack to modify data in transit.

Adaptec has released updates for the affected products and recommends updating to the latest versions, CISA said.  Siemens recommends countermeasures for products where updates are not or are not yet available. These include updating maxView Storage Manager to 4.09.00.25611 or a later version. Siemens has identified that updating the default self-signed device X.509 certificate with a trusted certificate provides a workaround and mitigations that users can apply to reduce risk. 

CISA disclosed in another advisory the detection of an out-of-bounds read vulnerability in Siemens’ JT Open and JT Utilities equipment. “Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process,” it added.

The affected Siemens software products include all versions of the JT Open before v11.3.2.0 and all versions of JT Utilities before v13.3.0.0. CISA said that the affected applications contain an out-of-bounds read vulnerability past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process.

Siemens recommends that users not open untrusted files using JT Open Toolkit or JT Utilities. Additionally, they must update JT Utilities to V13.3.0.0 or a later version, and update JT Open to v11.3.2.0 or a later version. 

CISA revealed the presence of an improper input validation security loophole in Siemens OPC Foundation Local Discovery Server, used across multiple critical infrastructure sectors. “Successful exploitation of this vulnerability could allow an attacker to create a malicious file loaded by OPC Foundation Local Discovery Server (running as a high-privilege user),” it added.

The affected Siemens software includes all versions of OpenPCS 7 V9.1, all versions of SIMATIC NET PC Software V14, all versions of SIMATIC NET PC Software V15, all versions of SIMATIC NET PC Software V16, all versions of SIMATIC NET PC Software V17, all versions of SIMATIC NET PC Software V18, all versions of SIMATIC Process Historian OPC UA Server, all versions before v8.0 of SIMATIC WinCC, all versions of SIMATIC WinCC Runtime Professional, all versions before v18.0 UPD 1 SR 1 of SIMATIC WinCC Unified PC Runtime, and all versions of TeleControl Server Basic V3. 

Siemens provided mitigation actions and called upon organizations to update the underlying OPC Foundation Unified Architecture Local Discovery Server (UA-LDS) to V1.04.405 or later if possible.

CISA also reported the presence of an improper input validation vulnerability in Siemens’ TIA Portal, used across the critical infrastructure sectors. “Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution,” it added.

The affected Siemens software products include all versions of TIA Portal V15, all versions of TIA Portal V16, all versions of TIA Portal V17, and all versions before v18 Update 1 of TIA Portal V18. “Affected products contain a path traversal vulnerability that could allow the creation or overwriting of arbitrary files in the engineering system. If the user is tricked into opening a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution,” the advisory added.

Siemens has released an update for TIA Portal V18 and recommends updating to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or are not yet, available. It also recommends that users avoid opening untrusted project files or PC system configuration files.

CISA also identified the presence of an inadequate encryption strength vulnerability in Siemens’ SCALANCE X-200IRT devices. “Successful exploitation of this vulnerability could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device,” it added. 

The advisory added that the secure shell (SSH) server on affected devices is configured to offer weak ciphers by default. “This could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device,” it added.

Siemens has released updates for the affected products and recommends updating all affected products to V5.5.2 or later.

CISA published an ICS advisory covering the detection of a NULL Pointer Dereference vulnerability in Siemens’ SIPROTEC 5 devices. “Successful exploitation of this vulnerability could cause a denial-of-service condition of the target device,” it added. “Affected devices lack proper validation of HTTP request parameters of the hosted web service. An unauthenticated remote attacker could send specially crafted packets that could cause a denial-of-service condition of the target device.”

Siemens has identified that blocking access to port 4443/TCP using, say, an external firewall will help to reduce the risk. Worldwide regulations for critical power systems (e.g. TSOs or DSOs) usually require multi-level redundant secondary protection schemes to build resilience into power grids. It is recommended that operators check whether appropriate resilient protection measures are in place to minimize the risk of cyber incidents impacting the grid’s reliability.  

Siemens recommends that operators apply provided security updates using the corresponding tooling and documented procedures made available with the product, and automatically apply security updates across multiple product instances if automation is supported by the product. The company also suggests validating any security update before being applied and protecting network access with appropriate mechanisms as a general security measure.

CISA disclosed in another ICS advisory the presence of an improper neutralization of special elements used in a command vulnerability in Siemens’ CPCI85 Firmware of SICAM A8000 devices. “Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution.”

Affected devices are vulnerable to command injection via the web server port 443/TCP if the parameter ‘Remote Operation’ is enabled; this parameter is disabled by default, CISA said. “This vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.”

Steffen Robertz, Gerhard Hechenberger, Stefan Viehböck, Christian Hager, and Gorazd Jank from SEC Consult Vulnerability Lab on behalf of Netz Niederösterreich GmbH, EVN Gruppe reported this vulnerability to Siemens, according to CISA.

Siemens has identified that limiting access to the web server on port 80/TCP and port 443/TCP with an external firewall can reduce the risk. Operators of critical power systems worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. The risk of cyber incidents impacting the grid’s reliability can thus be minimized under the grid design. Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. 

CISA also revealed the presence of an Observable Response Discrepancy vulnerability in Siemens ProductCERT Mendix Forgot Password Module. “The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information,” it added.

Siemens has released updates for the affected products and recommends users update to the latest versions of Mendix Forgot Password (Mendix 9 compatible): Update to V5.1.1 or a later version; Mendix Forgot Password (Mendix 8 compatible): Update to V4.1.1 or a later version, and Mendix Forgot Password (Mendix 7 compatible): Update to V3.7.1 or a later version. 

CISA further revealed that Siemens’ SCALANCE XCM332 equipment contains various vulnerabilities, including allocation of resources without limits or throttling, use after free, concurrent execution using the shared resource with improper synchronization (Race Condition), incorrect default permissions, out-of-bounds write, and improper validation of syntactic correctness of input. 

“Successful exploitation of these vulnerabilities could cause a denial-of-service condition, code execution, data injection, and allow unauthorized access,” the advisory added.

Siemens has released an update for the SCALANCE XCM332 and recommends updating to SCALANCE XCM332 (6GK5332-0GA01-2AC2): Update to V2.2 or later version. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms.

CISA also disclosed the presence of use after free, deadlock, and allocation of resources without limits or throttling vulnerabilities in Siemens’ Industrial Products, used across multiple sectors of the critical infrastructure sectors. “Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.”

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or are not yet, available.

CISA reported the presence of stack-based buffer overflow vulnerability in Siemens’ Teamcenter Visualization and JT2Go hardware. “Successful exploitation of this vulnerability could lead the application to crash or potentially lead to arbitrary code execution.”

The affected versions of Teamcenter Visualization and JT2Go are all versions of JT2Go before V14.2.0.2; Teamcenter Visualization V13.2: all versions before V13.2.0.13; Teamcenter Visualization V13.3: all versions before V13.3.0.9; Teamcenter Visualization V14.0: all versions before V14.0.0.5; Teamcenter Visualization V14.1: all versions before V14.1.0.7; and Teamcenter Visualization V14.2: all versions before V14.2.0.2. 

Siemens has released updates for the affected products and recommends that JT2Go users Update to V14.2.0.2 or a later version; Teamcenter Visualization V13.2: Update to V13.2.0.13 or a later version; Teamcenter Visualization V13.3: Update to V13.3.0.9 or a later version; Teamcenter Visualization V14.0: Update to V14.0.0.5 or a later version; Teamcenter Visualization V14.1: Update to V14.1.0.7 or a later version; and Teamcenter Visualization V14.2: Update to V14.2.0.2 or later version. 

CISA has identified an improper restriction of XML external entity reference vulnerability in Siemens’ Polarion ALM hardware. “Successful exploitation of this vulnerability may allow an attacker to potentially disclose confidential data,” the advisory added.

The application contains an XML external entity injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem, CISA revealed.

Siemens has released an update for Polarion ALM and recommends updating to the latest version (V2304.0), as well as updating specific configurations to mitigate against the vulnerability. The configuration changes to mitigate this vulnerability will be default in Polarion V2304 and later versions. 

Siemens recommends setting configurations as listed in SSA-632164 to mitigate against external entity injection in OpenSAML 4[dot]x parser. This will be included by default in  Polarion V2304 and later versions.

CISA disclosed the presence of an integer overflow or wraparound vulnerability in Siemens’  SCALANCE X-200, X-200IRT, and X-300 Switch Families, affecting multiple critical infrastructure sectors. “Successful exploitation of these vulnerabilities could lead to memory corruption.”

Siemens has released a new firmware version for SCALANCE X-200 and X-200 IRT switches that address ‘Bad Alloc vulnerabilities in the underlying operating system and recommends updating to the latest versions. Siemens recommends countermeasures for products where updates are not or are not yet available. It also recommends that organizations update to V5.2.6 or a later version, and update to V5.5.2 or a later version.  

In the case of Datakit’s CrossCAD/Ware_x64 library used in the critical manufacturing sector, CISA disclosed the presence of out-of-bounds read and out-of-bounds write vulnerabilities. “Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or execute arbitrary code.”

Datakit recommends user upgrade to v2023.1 or later. The company has also identified specific workarounds and mitigations that should be applied to reduce the risk, including not opening untrusted SLDPRT files with CrossCAD/Ware, and updating CrossCAD/Ware to 2023.1 or a later version.

CISA also revealed the presence of Signal Handler Race Condition vulnerability in Mitsubishi Electric India’s GC-ENET-COM equipment, used across the critical manufacturing sector. “Successful exploitation of this vulnerability could lead to a communication error and may result in a denial-of-service condition,” it added. 

The advisory added that a vulnerability exists in the Ethernet communication Extension unit (GC-ENET-COM) of GOC35 series due to a signal handler race condition. If a malicious attacker sends a large number of specially crafted packets, communication errors could occur and could result in a denial-of-service condition when GC-ENET-COM is configured as a Modbus TCP Server.

Faruk Kazi and Parul Sindhwad of COE-CNDS lab, VJTI, Mumbai India, reported these vulnerabilities to Mitsubishi Electric India.

To mitigate risk, Mitsubishi Electric India said that the firmware of Extension unit GC-ENET-COM where the first two digits of the 11-digit serial number starting with “17” have been fixed. The firmware update in Extension unit GC-ENET-COM is only available from the vendor. Users should contact a local Mitsubishi Electric India representative.

Mitsubishi Electric India recommends users minimize the risk of attackers exploiting this vulnerability if the mentioned countermeasures cannot be implemented. Such measures include using a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required. It also suggests locating control system networks and remote devices behind firewalls and isolating them from the business network to restrict access from untrusted networks and hosts. Lastly, it suggests restricting physical access to computers and network equipment on the same network.

Last week, CISA announced the presence of hardware vulnerabilities in equipment from Industrial Control Links, Jtekt Electronics, Korenix, Hitachi Energy, and mySCADA Technologies. Deployed across the critical infrastructure sector, the security agency has provided organizations with potential mitigation actions and updates to deal with these security loopholes.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.