Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Siemens Fixes Security Flaws in SIMATIC WinCC Apps for iOS

Siemens issued a security advisory on Tuesday to alert users of its SIMATIC WinCC Sm@rtClient App for iOS of multiple privilege escalation vulnerabilities.

Siemens issued a security advisory on Tuesday to alert users of its SIMATIC WinCC Sm@rtClient App for iOS of multiple privilege escalation vulnerabilities.

The security flaws could allow attackers to perform privilege escalation either against the Sm@rtClient iOS App or the servers the App is communicating with under certain conditions, Siemens said in its advisory.

The industrial products giant has released software updates for its iOS Apps, which fix a total of three vulnerabilities, all related to how the applications store and manage passwords.

Fortunately, in order to exploit the vulnerabilities an attacker must have physical access to the iOS device.

The vulnerabilities affect all versions of WinCC Sm@rtClient for iOS and WinCC Sm@rtClient Lite prior to version 1.0.2.

SIMATIC WinCC is used to monitor and control physical processes involved in industry and infrastructure, and is often used in industries such as oil and gas, chemical, food and beverage, water and wastewater. 

Siemens credited Kim Schlyter, Seyton Bradford and Richard Warren from FortConsult for reporting the vulnerabilities summarized below:

CVE-2014-5231 [CVSS Base Score 4.6] – The existing storage mechanism for the application specific password could allow attackers to extract the password and gain access to the application if local access is available.

Advertisement. Scroll to continue reading.

CVE-2014-5232 [CVSS Base Score 4.6] – In case an application specific password is set, the user would not be prompted to enter the password if the App was resumed from the background.

CVE-2014-5233 [CVSS Base Score 4.6] – The implemented mechanism to process Sm@rtServer credentials could allow attackers to extract the credentials if local access is available.

The updated versions of Sm@rtClient and Sm@rtClient Lite should be downloaded via Apple’s App Store. 

In November, Siemens released software updates to address two critical vulnerabilities in some of its SIMATIC WinCC products, one of which could be exploited remotely by an unauthenticated attacker.  

In December, ICS-CERT warned that ongoing attacks levering the BlackEnergy malware were targeting critical infrastructure companies that use human-machine interface (HMI) products from various, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC. 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.