Siemens issued a security advisory on Tuesday to alert users of its SIMATIC WinCC [email protected] App for iOS of multiple privilege escalation vulnerabilities.
The security flaws could allow attackers to perform privilege escalation either against the [email protected] iOS App or the servers the App is communicating with under certain conditions, Siemens said in its advisory.
The industrial products giant has released software updates for its iOS Apps, which fix a total of three vulnerabilities, all related to how the applications store and manage passwords.
Fortunately, in order to exploit the vulnerabilities an attacker must have physical access to the iOS device.
The vulnerabilities affect all versions of WinCC [email protected] for iOS and WinCC [email protected] Lite prior to version 1.0.2.
SIMATIC WinCC is used to monitor and control physical processes involved in industry and infrastructure, and is often used in industries such as oil and gas, chemical, food and beverage, water and wastewater.
Siemens credited Kim Schlyter, Seyton Bradford and Richard Warren from FortConsult for reporting the vulnerabilities summarized below:
• CVE-2014-5231 [CVSS Base Score 4.6] – The existing storage mechanism for the application specific password could allow attackers to extract the password and gain access to the application if local access is available.
• CVE-2014-5232 [CVSS Base Score 4.6] – In case an application specific password is set, the user would not be prompted to enter the password if the App was resumed from the background.
• CVE-2014-5233 [CVSS Base Score 4.6] – The implemented mechanism to process [email protected] credentials could allow attackers to extract the credentials if local access is available.
The updated versions of [email protected] and [email protected] Lite should be downloaded via Apple’s App Store.
In November, Siemens released software updates to address two critical vulnerabilities in some of its SIMATIC WinCC products, one of which could be exploited remotely by an unauthenticated attacker.
In December, ICS-CERT warned that ongoing attacks levering the BlackEnergy malware were targeting critical infrastructure companies that use human-machine interface (HMI) products from various, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- ‘No Evidence’ of Cyberattack Related to FAA Outage, White House Says
- SecurityWeek to Host 2022 ICS Cybersecurity Conference October 24-27 in Atlanta
- Google Completes $5.4 Billion Acquisition of Mandiant
- Cybersecurity Firm ZeroFox Begins Trading on Nasdaq via SPAC Deal
- HUMAN Security and PerimeterX Merge on Mission to Combat Bots
- Last Call: CFP for ICS Cybersecurity Conference Closes July 15th
- Johnson Controls Acquires Tempered Networks to Shield Buildings From Cyberattacks
- Snowflake Launches Cybersecurity Workload to Find Threats Across Massive Data Sets
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
