Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaw in Siemens RTU Allows Remote Code Execution

Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

The most serious of the security holes is CVE-2017-12739, a critical vulnerability in the integrated web server that allows an unauthenticated attacker with network access to remotely execute code on affected devices.

The web server is also impacted by a reflected cross-site scripting (XSS) vulnerability that can be exploited by getting the targeted user to click on a link (CVE-2017-12738), and a flaw that can be exploited by a remote attacker to bypass authentication and obtain sensitive device information, including passwords (CVE-2017-12737).

The vulnerabilities affect devices running firmware versions ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00. Since the product has been discontinued, Siemens has decided not to release patches. However, users can prevent potential attacks by disabling the affected web server, which is designed for diagnostics and is not needed for normal operation.

Siemens pointed out, however, that the vulnerable versions of the firmware may also be running on the SM-2558 COM module, the successor of SM-2556. The automation giant has advised customers to update to the newer ETA4, MBSiA0 and DNPiA1 firmware versions.

In its own advisory, SEC Consult said it reported the vulnerabilities to Siemens in late September. According to the company, the GoAhead webserver used by the RTU module was released in October 2003 and it’s affected by several known vulnerabilities.

SEC Consult has published proof-of-concept (PoC) code for the authentication bypass and XSS vulnerabilities.

Researchers haven’t found many vulnerabilities in Siemens SICAM products. ICS-CERT has only published a handful of advisories in the past years, but they mostly describe high severity and critical flaws.

Related: Serious Flaw Exposes Siemens Industrial Switches to Attacks

Related: Siemens, PAS Partner on Industrial Cybersecurity

Related: Exploited Windows Flaws Affect Siemens Medical Imaging Products

Related: Siemens Patches Flaws in Automation, Power Distribution Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.