Analysis
Attacks and Vulnerabilities
Building Management Systems
Control device security
News
Risk & Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Nozomi identifies Siemens building automation systems vulnerability, which can perform DoS attack against controllers

May 13, 2022
Nozomi identifies Siemens building automation systems vulnerability, which can perform DoS attack against controllers

Industrial cybersecurity firm Nozomi Networks has carried out a security analysis of the Siemens PXC4.E16, a building automation system (BAS) of the Desigo/APOGEE family for HVAC and building service plants. Its researchers identified a vulnerability, tracked under Siemens SSA-626968 and CVE-2022-24040, that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It also could have been abused to perform a Denial-of-Service (DoS) attack against the controller.

The building automation system is a network designed to connect and automate certain functions inside a building system while controlling various electric, electronic and mechanical systems. It helps to improve occupant comfort, deliver efficient operations of building systems, reduce energy consumption, reduce operating and maintenance costs, increase security, historical performance documentation, provide for remote access/control/operation, and bring about an improved life cycle of equipment and related utilities.

Building automation controllers are multi-faceted as they are used to control HVACs (Heating, Ventilation, and Air Conditioning), fire control systems, safety alarms, security cameras, and other systems necessary for the functioning of a facility. Nozomi’s research displayed how hackers can not only access a controller but launch a denial-of-service, rendering the device inoperable for up to a few days. It is also possible that hackers can attack building automation systems, while simultaneously launching a catastrophic attack on other industrial control systems (ICS) within a facility.

For instance, if the fire alarm system or other systems are ‘DDoSed,’ it could intensify a cyber-physical attack. “In the past, threat actors have targeted BAS, such as Uninterruptable Power Supply (UPS) while launching a multi-layered attack. Threat actors seem to value BAS as an attractive target,” according to Nozomi.

Upon notification from Nozomi Networks Labs, Siemens has released a patch addressing the vulnerability. “We recommend updating the affected devices to the latest firmware version. Desigo DXR2 and PXC3 must be updated to V01.21.142.5-22 or a later version. Desigo PXC4 and PXC5 must be updated to V02.20.142.10-10884,” the post added.

“The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account,” according to a post on the National Vulnerability Database. “An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account,” it added.

Nozomi researchers found that ​​in the user profiles settings, the Siemens ABT Site software, the reference engineering and commissioning tool for the device, allows the user to set a ‘user profile access’ permission to a role, which adds user management capabilities such as creating, updating, or deleting users. “This permission can be added even to low-privileged roles; it was possible to add the ‘user profile access’ permission to a role with ‘basic operation’ privileges, i.e., the lowest possible settings,” the researchers said.

After creating a user with the aforementioned role and logging in, “we completed a user creation process, and observed the following interaction,” they said. Nozomi noticed that the application, “through the web interface, allows us to enter a normal plaintext password for the new user. However, in the background, we were surprised to find that the HTTP request responsible for the actual creation of the newly defined user carried the PBKDF2 string of that password.” 

“Our hypothesis is that the maintainers tried to quickly implement a secure password storage mechanism on top of an already existing system that was previously storing a plaintext password or, at most, an unsalted hash, without performing proper in-depth changes to the backend code,” according to the researchers.

After doing a brief reverse engineering activity on the server binary responsible for handling web service communications, the researchers discovered that no specific validation checks were done on the iteration count value, apart from verifying that the value was a parsable unsigned integer. 

“This implies that any malicious insider with user profile access privileges (or if an attacker manages to hijack an account with such privileges, for instance by exploiting the lack of ‘secure’ attribute of the session cookie) could create a user with a PBKDF2 string having a slow PRF and an extremely high iteration count,” according to the researchers. “They could then perform a Denial-of-Service (DoS) attack by CPU exhaustion against the controller just by attempting a login with the aforementioned user. In fact, the sheer act of performing the login on the device would trigger the long execution of the so-configured PBKDF2 algorithm to perform the password comparison, impeding any further actions on the device,” they added.

During the tests, “we were able to cause the device to become completely unavailable for about 98 seconds just by setting a PRF of HMAC-SHA256 and an iteration count value of 1,000,000,” according to the researchers. “Considering that the device supports even more complex PRFs (such as HMAC-SHA512) and a maximum iteration count of 4,294,967,295, in a worst-case scenario it would be possible to make the device unavailable for days just by attempting a login. What’s most concerning is that nothing would prevent the attacker from reattempting the login other times, to further extend the downtime of the controller,” they added.

Last month, Nozomi discovered a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, exposing millions of IoT devices deployed across numerous operating environments. The sample has been named ‘Lillin scanner’ after the name the developers used for it in the source code. The scanner sends particularly crafted HTTP POST requests to the URL paths to exploit a command injection vulnerability in the web interface.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems