Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Siemens Tool Put ICS Environments at Risk

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.

Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.

One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.

Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.

ICS Cyber Security Conference

The second vulnerability, CVE-2018-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.

“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”

Register for SecurityWeek’s ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.

Nozomi believes these types of flaws can pose a significant risk to ICS environments.

“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.

Related: Severe DoS Flaw Discovered in Siemens SIMATIC PLCs

Related: Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.