Siemens has made available workarounds and patches that address medium and high severity vulnerabilities found in the company’s Desigo PX and SIMATIC automation products.
The flaws have been described in advisories published by Siemens and ICS-CERT in the past days. The most serious of the issues, based on their CVSS score, affect all versions of SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs).
The security holes, discovered by Zhu WenZhe from Beijing Acorn Network Technology, can be exploited to obtain credentials from a PLC configured with protection level 2, and cause a denial-of-service (DoS) condition by sending specially crafted packets to TCP port 80.
Siemens has not released patches for these vulnerabilities, but informed customers that the DoS flaw can only be exploited if the web server is manually enabled in the project configuration. Disabling the web server prevents attacks. As for the credentials disclosure issue, attacks can be prevented by applying protection level 3.
A different researcher from Beijing Acorn Network Technology has informed Siemens of a medium severity issue affecting SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS). The flaw can be exploited to crash the application or leak memory content, but the attack only works if a local user can be tricked into clicking on a malicious link.
Siemens patched the vulnerability with the release of SIMATIC WinCC V7.2 and SIMATIC PCS 7 V8.0 SP1.
The last advisory describes a cryptographic issue in Desigo PX, automation stations and operator units designed for controlling and monitoring building systems.
“The affected devices use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key,” Siemens said.
The issue affects various Desigo PX Web modules for automation controllers running firmware versions prior to 6.00.046.