Tag Archives: Siemens SIMATIC

Siemens Issues Security Updates for SIMATIC HMI Devices and Software

In late August a set of security updates was made available by Siemens for its SIMATIC HMI devices, SIMATIC WinCC Runtime Advanced software, SIMATIC WinCC v7 software and SIMATIC NET PC-Software V12 and V13.

The HMI (Human Machine Interface) devices allow a user to easily interface with industrial control and supervisory control and data acquisition (SCADA) systems via widescreen displays and multi-touch devices. The SIMATIC WinCC Runtime Advanced and Professional software provide this capability. The SIMATIC NET PC-Software is required for communication between a controller (SIMATIC S7 controller) and PC-based solutions (e.g., SIMATIC WinCC).

These updates address 3 remotely exploitable CVEs (defined) which include resource exhaustion (defined), a man-in-the-middle (MITM) attack (defined) and password-hashing (defined) implementation flaws.

The resource exhaustion vulnerability could be exploited by an attacker if they were located on the network connection between an HMI panel and a PLC (i.e. a man-in-the-middle (MITM) attack) and they could send network packets to the HMI over TCP port 102. Such specifically crafted packets would result in a denial of service (defined) issue for these devices.

The separate man in the middle category of attack mentioned above involves a similar means of attack but this time the attacker is located between the PLCs and their communication partners allowing the attacker to both intercept the packets between these devices and to modify them.

Finally the password hashing vulnerability involves the attacker using the password hashes obtained through another means to grant themselves the same usage rights as the rightful users of those passwords to access SIMATIC WinCC and SIMATIC PCS 7 software.

Why Should These Issues Be Considered Important?
Using these vulnerabilities remote attackers could cause denial of service issues to the above mentioned Siemens devices and/or obtaining the permissions of legitimate users of the SIMATIC WinCC and SIMATIC PCS 7 software used to monitor and control these devices. With the large industrial systems these devices control/operate these flaws can have serious physical consequences (see the notable example mentioned below).

How Can I Protect Myself From These Issues?
Please follow the instructions within this ICS CERT security advisory (specifically the Mitigation section) to update any affected industrial Siemens products that you may be using.

One interesting aspect about these flaws is that the above mentioned Siemens HMI devices are in use by the well-known Large Hadron Collider located underground near Geneva, Switzerland and operated by the European Organization for Nuclear Research (CERN). This underlines the important functions that these devices control whether it be the Hadron Collider or your nearest power station.

Thank you.

Siemens Updates Simatic Products Against “Ghost” (glibc) Security Flaw

Earlier this week security updates were made available by Siemens for its Simatic products (Industrial Data Network Controllers) to resolve an issue in the GNU C library that was reported in January this year. Updates were already available for its Ruggedcom (industrial routers) and its SINUMERIK controllers in March. These products are deployed in industrial sectors to provide data networking capabilities within large production lines and processing facilities e.g. water treatment.

Please follow the instructions within the ICS CERT security advisory to update any affected industrial Siemens products that you may be using.

Background on the Ghost Flaw

In January of this year a buffer overflow affecting the gethostbyname() and gethostbyname2() functions within the GNU C library was discovered by security researchers at Qualys. Both functions are considered deprecated since a newer function getaddrinfo() replaces them. This is a denial of service flaw (in the context of the above mentioned industrial networking components) but there is a possibility of remote code execution.

This flaw was caused by an efficiency improvement within the gethostbyname(). If this function receives an IP address, it will not have to resolve a hostname to an IP address for you (by using a DNS lookup) since the parameter passed is already an IP address. However this code does not check the length of the IP address passed to it as a parameter and this causes the buffer overflow. Please note that the parameter being passed to this function would need to be specifically chosen to crash the code in a way that allows remote code execution for that specific software and hardware platform. Thus such attacks would need to more targeted and would not be trivial to exploit.

Updates to resolve this flaw were released in January by Red Hat, SUSE Linux, Ubuntu and Debian (among others). If you have not already done so, please apply any security updates to your Linux systems and restart those systems for the updates to take effect.

Update: 29th May 2015:
Further defence in-depth advice concerning how to defend a Linux system from attack is provided in this blog post.

Update: 7th September 2015: In addition, as mentioned in this more recent blog post, the Linux Foundation has published a security checklist (intended for Linux system administrators) to harden Linux systems against attack.

Thank you.