Siemens, Schneider Electric confirm presence of security vulnerabilities in ICS products

Siemens and Schneider Electric have been hit by a series of security vulnerabilities across their industrial control systems (ICS), according to advisories issued by the Cybersecurity and Infrastructure Agency (CISA).

Users have been informed about availability of patches and mitigations that must be adopted to reduce the impact of these weaknesses within the critical infrastructure.

Siemens released six new ICS security advisories and updated 13 previous ones. The recent vulnerabilities have been found in its SIMATIC, SICAM, SENTRON, SIRIUS, XHQ and LOGO! 8 products, while the updated advisories relate to Siemens’ LOGO, SIMATIC, SCALANCE, Profinet and UMC stack.

The company confirmed that its SENTRON PAC3200, SENTRON PAC4200 and SIRIUS 3RW5 products have been hit by the AMNESIA:33, a set of embedded TCP/IP stack vulnerabilities that been identified by ICS security company Forescout, as having infected millions of connected devices and IoT and OT devices from over 150 vendors with tens of vulnerabilities found in TCP/IP stacks.

The TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and other enterprise and consumer IoT devices. The security flaws have been found in four out of seven analyzed TCP/IP stacks, including uIP, picoTCP, FNET and Nut/Net, which are used by internet-connected devices.

The German conglomerate has advised users of its SENTRON and SIRIUS products of the presence of the integer overflow vulnerability, which when manipulated by an attacker located in the same network could trigger a DoS condition on the device by sending a specially crafted IP packet. It also identified that for successful exploitation, an attacking system must be located in the same Modbus TCP segment as a vulnerable device, and has thus recommended that only trusted systems are attached to that segment and only trusted persons have access.

Siemens also reported that its XHQ Operations Intelligence equipment used in the energy sector was faced with various vulnerabilities, including exposure of sensitive information to an unauthorized actor, cross-site scripting, basic XSS, SQL injection, relative path traversal, and cross-site request forgery, according to the CISA advisory.

Exploitation of these weaknesses could allow an attacker to read sensitive information, modify web content, and perform cross-site scripting and cross-site request forgery on unsuspecting users, according to Siemens. It advised users to update the XHQ Operations Intelligence product line to the latest version, apart from protecting network access to devices with appropriate mechanisms.

Another Siemens product used in the energy sector, the SICAM A8000 Remote Terminal Unit Series, faced a vulnerability with its Protection Mechanism Failure, which could allow an attacker to gain unauthorized read or write access to network traffic to or from the device. The company recommends its users update to the latest version, v16, and configure the browser to accept only secure ciphers.

Siemens also identified weaknesses in its SIMATIC ITC Industrial Thin Clients, SIMATIC WinCC Runtime Advanced/Professional, SIMATIC HMI Panels and SIPLUS extreme products. When exploited, these loopholes can lead to heap-based buffer overflow, NULL pointer dereference and classic buffer overflow. Exploitation of these vulnerabilities in the affected products could allow remote code execution and DoS attacks under certain conditions. The company released updates for several products and is working on updates for the remaining affected products.

Used in critical manufacturing, Siemens’ SIMATIC Controller Web Servers have also been identified to contain a vulnerability on Uncaught Exception, wherein an attacker can send a specially crafted HTTP request to the products web server, which may cause a DoS condition.

Siemens has released updates for the affected products and recommends updating to the latest available version. It also notes that if the PC Station web server does not restart automatically, a Windows reboot is required. This can be done while the control system is running as the PLC control functionality is not affected.

The LOGO! 8 BM equipment deployed in commercial facilities and transportation systems also contained several vulnerabilities, including missing authentication for critical function, use of hard-coded cryptographic key, use of a broken or risky cryptographic algorithm, and insufficiently protected credentials. Manipulation of these vulnerabilities could allow an attacker to make configuration and password changes, capture device keys, access confidential information, and gain full control of the device.

Deployed across various critical infrastructure sectors, Schneider Electric’s Modicon M221 Programmable Logic Controller has also been identified with security vulnerabilities, including inadequate encryption strength, small space of random values, missing encryption of sensitive data, exposure of sensitive information, and use of a one-way hash with a predictable salt.

The French multinational company advised its users to set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP. Within the Modicon M221 application, the user must disable all unused protocols, especially its programming protocol. This action will prevent unintended remote programming access. Apart from this, the user must set passwords to protect the project and read access on the controller, while using a different password for write access on the controller.

Schneider Electric also confirmed weaknesses on its Easergy T300 RTU (Remote Terminal Unit) modular platform for medium voltage and low voltage public distribution network management. The vulnerabilities include missing authentication for critical function, missing authorization, missing encryption of sensitive data, and improper restriction of rendered user interface layers or frames.

The weaknesses can allow an attacker to obtain unauthorized access to the internal product LAN, which could result in exposure of sensitive information, denial-of-service (DoS) and remote code execution when access to a resource from an attacker is not restricted or incorrectly restricted. Users are encouraged to upgrade to V2.7.1 available from the Schneider Electric Customer Care Center. Alternatively, they may disable port forwarding in the product firewall. Failure to apply the fix provided may allow unauthorized access to the internal product LAN.

Last week, Schneider Electric reported that an improper privilege management vulnerability has been found in its EcoStruxure Platform, which can cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxure Operator Terminal Expert.

CISA recommends that users take defensive measures to minimize the risk of exploitation of the various weaknesses and advises organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.


Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.