CISA reveals ICS hardware vulnerabilities in Siemens products, Advantech, SUBNET Solutions
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued several security advisories addressing vulnerabilities in industrial control systems (ICS) typically used across critical infrastructure sectors. The agency revealed the presence of hardware vulnerabilities across Advantech and SUBNET Solutions equipment. It also released notices of hardware vulnerabilities across various Siemens product lines, including POWER METER SICAM Q200 family, SIMOTION, SIMATIC products, TIA Portal, SIMATIC WinCC V7, Solid Edge, SINAMICS Medium Voltage products, SICAM A8000 devices, Teamcenter Visualization, and JT2Go.
CISA revealed the presence of cross-site scripting and authentication bypass by capture-replay vulnerabilities in the SUBNET PowerSYSTEM Center deployed globally across the critical manufacturing sector. Versions of SUBNET PowerSYSTEM Center, a multifunctional management platform, 2020 U10 and earlier are affected. SUBNET reported these vulnerabilities to CISA.
“SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications,” CISA said in its advisory. “SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity.”
The advisory said that SUBNET has fixed these issues by enabling a file integrity check on uploaded images and anti-forgery tokens to prevent replay attacks. “The fix was introduced in PowerSYSTEM Center update 12 as well as Update 8+Hotfix (both identified by release number 5.12.2305.10101, which can be located in Settings à Overview à Version),” it added.
In another advisory, CISA identified the presence of Untrusted Pointer Dereference vulnerability across Advantech’s WebAccess/SCADA equipment. “Successful exploitation of this vulnerability could allow an attacker gaining remote file system access and achieving remote command execution.”
All versions before 9.1.4 of Advantech WebAccess/SCADA are vulnerable to the use of untrusted pointers, according to the advisory. “The RPC arguments the client sent client could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files,” it added.
Florent Saudel reported this vulnerability to CISA. Also, Advantech recommends all affected users update their products to the latest patch, as the vulnerability was fixed in Version 9.1.4.
CISA also revealed that Siemens POWER METER SICAM Q200 line versions pbeforeV2.70 include session fixation, improper input validation, cross-site request forgery, and incorrect permission assignment for critical resource vulnerabilities. The agency said that exploitation of these vulnerabilities could lead to remote code execution or denial of service. Michael Messner from Siemens Energy reported these vulnerabilities to Siemens.
“Affected devices do not renew the session cookie after login/logout and accept user-defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim has logged in, the attacker is given access to the user’s account through the activated session,” CISA said in its advisory notice. “Affected devices do not properly validate the Language-parameter in requests to the web interface on port 443/tcp. This could allow an authenticated remote attacker to crash the device (followed by an automatic reboot) or to execute arbitrary code on the device.”
Siemens released an update for the POWER METER SICAM Q200 family and recommends updating to the latest version. It also identified specific workarounds and mitigations that users can apply to reduce risk include not accessing links from untrusted sources while logged in at Q200 devices and restricting access to port 443/tcp to trusted IP addresses only.
CISA reported that Siemens’ SIMOTION equipment could expose sensitive information due to incompatible policy vulnerability. The exploitation of this vulnerability could allow an unauthenticated attacker to extract confidential technology object (TO) configuration from the device.
Deployed across multiple critical infrastructure sectors, CISA said in its advisory that “When operated with Security Level Low the device does not protect access to certain services relevant for debugging. This could allow an unauthenticated attacker to extract confidential TO configuration from the device.”
Siemens called upon users to update to V5.5 SP1 or later, if possible. It also suggests restricting physical access to the device and avoiding using Security Level Low (e.g., Service Selector Switch) in position 8, with simotion.ini or the PSTATE program – see Section 3.5 of SIMOTION IT – SIMOTION IT Diagnostics and Configuration Manual) in production environments.
In another advisory, CISA identified the presence of use of obsolete function vulnerability across Siemens SIMATIC products, which can be exploitable from an adjacent network. Successful exploitation of this vulnerability could allow an attacker to obtain unauthorized access to product control and data.
“Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default,” CISA said in its advisory. “These services were designed on top of the Windows ActiveX and DCOM mechanisms, and do not implement state-of-the-art security mechanisms for authentication and encryption of contents.”
Users must update to SIMATIC WinCC V8.0 or later, using SINATIC NET PC Software that ensures only trusted users are part of the SIMATIC Net group. They must also ensure that only trusted users are part of the SIMATIC HMI group, disable the legacy OPC DA/HDA/AE services and switch to OPC UA, if possible.
CISA disclosed the presence of a protection mechanism failure vulnerability in the Siemens Totally Integrated Automation (TIA) Portal used globally across multiple critical infrastructure sectors. “Successful exploitation of this vulnerability could allow attackers with access to the project file to recover previous – yet unprotected – versions of the project, without the knowledge of the know-how protection password.”
The advisory added that “The know-how protection feature in affected products does not properly update the encryption of existing program blocks when a project file is updated. This could allow attackers with access to the project file to recover previous – yet unprotected – versions of the project without the knowledge of the know-how protection password.”
Eli Biham, Sara Bitan, Alon Dankner, Arnon Lazerson, and Assaf Rosenbaum from the Faculty of Computer Science, Technion Haifa reported this vulnerability to Siemens, the agency disclosed.
CISA revealed the presence of improper control of the generation of code (code injection) vulnerability in Siemens SIMATIC PCS 7, SIMATIC S7-PM, and SIMATIC STEP 7 V5 equipment. Breaching this vulnerability could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that impact the server.
With a CVSS v3 base score of 9.9, CISA said that the “affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have an impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system’s server.”
Users have been called upon to update to the latest versions of the affected equipment.
CISA disclosed out-of-bounds read vulnerability in Siemens’ Solid Edge equipment. The exploitation of the vulnerability could allow an attacker to execute code in the context of the current process.
“Open Design Alliance Drawings SDK (versions before 2024.1) is vulnerable to an out-of-bounds read when reading a DWG file. This could allow an attacker to execute code in the context of the current process,” according to a CISA advisory. Siemens has asked users to update to the latest versions to mitigate risks.
In another advisory, CISA identified that Siemens’ SICAM A8000 devices contain command injection, use of hard-coded credentials, and exposed dangerous method or function vulnerabilities. Any breach of these security loopholes could allow an attacker with direct physical access to crack the root password to log in to the device or remotely execute arbitrary code with root privileges.
SEC Consult Vulnerability Lab, on behalf of Netz Niederösterreich GmbH, EVN Gruppe reported these vulnerabilities to Siemens, CISA said.
Siemens’ JT2Go and Teamcenter Visualization equipment were found to contain null pointer dereference, out-of-bounds read, and improper restriction of operations within the bounds of a memory buffer. The exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute code in the context of the current process, or crash the application causing a denial-of-service condition. Jin Huang from ADLab of Venustech reported these vulnerabilities to Siemens.
Once again, Siemens called upon users to update to the latest versions of the affected equipment.
Related
