Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Siemens Tool Put ICS Environments at Risk

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.

Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.

One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.

Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.

ICS Cyber Security Conference

The second vulnerability, CVE-2018-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.

“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”

Register for SecurityWeek’s ICS Cyber Security Conference

Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.

Nozomi believes these types of flaws can pose a significant risk to ICS environments.

“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.

Related: Severe DoS Flaw Discovered in Siemens SIMATIC PLCs

Related: Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.