Siemens released on Tuesday four new industrial control systems (ICS) security advisories, and updated multiple previously issued security advisories related to equipment deployed in the critical infrastructure sector.
Multiple SCALANCE X switches used in critical manufacturing to connect industrial components like programmable logic controllers (PLCs) or human machine interfaces (HMIs) contain vulnerabilities in the web server of the affected devices, Siemens said in its advisory. An unauthenticated attacker could reboot, cause denial-of-service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities, the company warned.
The security leakage could allow an unauthenticated attacker to reboot the device over the network by using special Uniform Resource Locators (URLs) from the integrated web server of the affected products. The web server of the affected devices contains a vulnerability that may lead to a heap overflow condition, effecting an attacker to send specially crafted requests, which could lead to the web server stopping temporarily, or stopping and not recovering.
To reduce risk, Siemens recommends that users limit network traffic of web servers of Scalance X switches to trusted connections using firewall rules.
Used in multiple sectors, the SCALANCE X switches might not generate a unique random key after factory reset, and use a private key shipped with the firmware. Devices create a new unique key upon factory reset, except when used with C-PLUG, Siemens said.
When used with C-PLUG the devices use the hardcoded private RSA-key shipped with the firmware-image. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic, Siemens said. At times, devices do not create a new unique private key after factory reset, which an attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic.
Siemens identified that customers could reduce the security risk by updating the default self signed device X.509 certificates with a trusted certificate, and the default hard-coded X.509 certificates from the firmware image.
The German conglomerate also found that its JT2Go viewing tool and Teamcenter Visualization software used in critical manufacturing were affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens released updates for both affected products and advises its users to update to the latest versions, while it is also preparing further updates and recommends specific countermeasures until remaining fixes are available.
Used by the critical infrastructure sector, Siemens’ Solid Edge software tools were also affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. The company released an update for Solid Edge and urged users to update to the latest version. Users were also advised to limit opening of untrusted files from unknown sources in Solid Edge, and applying a Defense-in-Depth concept can help to reduce the probability that untrusted code is run on the system.
In addition to these new advisories, Siemens also updated some of its earlier advice related to equipment from across its SIMATIC, SINAMICS, SINEC, SINEMA, and SINUMERIK product lines. The company reported after identifying security loopholes due to a component within the affected application that regularly calls a helper binary with SYSTEM privileges, while the call path is not quoted, potentially allowing an attacker to execute commands with elevated privileges.
Siemens also updated its advisory on the SIMOTICS, Desigo, APOGEE, and TALON equipment used across the critical infrastructure sector. The affected products could allow an attacker to change the IP address of the device to an invalid value, and this may allow an attacker to make device configuration changes and affect its availability.
Deployed in critical infrastructure sector, Siemens found on some of its SCALANCE and SIMATIC equipment that the VxWorks-based Profinet TCP stack can be forced to make resource-intense calls for every incoming packet, which can lead to a denial-of-service condition.
On its SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC equipment, Siemens found through specially crafted messages, when encrypted communication is enabled, an attacker with network access could compromise the availability of the system by causing a denial-of-service condition. Nicholas Miles from Tenable reported this vulnerability to Siemens.
The Siemens TIA Portal equipment has been found to include an improper limitation of a pathname to a restricted directory, known as ‘path traversal.’ Changing the contents of a configuration file could allow an attacker to execute arbitrary code with system privileges. This vulnerability could be exploited by an attacker with a valid account and limited access rights on the system. No user interaction is required. William Knowles from Applied Risk reported this vulnerability to Siemens.
Used in the critical manufacturing sector, Siemens’ PROFINET Devices possess a security vulnerability that could cause a denial-of-service condition. An unauthenticated attacker sending a large amount of specially crafted UDP packets may trigger a denial-of-service condition.
Siemens found that presence of vulnerabilities on its Opcenter Execution Core equipment may allow an attacker to obtain session cookies, read and modify application data, read internal information, perform unauthorized changes, and obtain passwords of currently logged in users. Should the attacker gain access to the session cookies, they could then hijack the session and perform arbitrary actions in the name of the victim.
Last month, Siemens announced the presence of six new ICS security advisories and updated 13 previous ones. The recent vulnerabilities have been found in its SIMATIC, SICAM, SENTRON, SIRIUS, XHQ and LOGO! 8 products, while the updated advisories relate to Siemens’ LOGO, SIMATIC, SCALANCE, Profinet and UMC stack.