Siemens Patches DoS, Other Vulnerabilities in SIMATIC HMI Products

Researchers have identified three vulnerabilities in Siemens’ SIMATIC HMI devices. The German engineering giant has started releasing software updates to address the security holes in affected products.

The most severe of the issues is a resource exhaustion vulnerability (CVE-2015-2822) that can be leveraged by an attacker positioned between the HMI panel and a programmable logic controller (PLC) to cause a denial-of-service (DoS) condition in the HMI panel. The flaw can be exploited by sending specially crafted packets on TCP port 102, ICS-CERT and Siemens explained in advisories.

The fact that a malicious actor can launch this kind of man-in-the-middle (MitM) attack by positioning himself on the network path between a PLC and its communication partner is a separate vulnerability that has been assigned the CVE identifier CVE-2015-1601. An attacker can leverage this vulnerability to intercept or modify industrial communications, Siemens said.

The third flaw is related to authentication (CVE-2015-2823). Researchers have discovered that users can authenticate themselves not just with the actual passwords, but with the password hashes as well.

“If attackers obtain password hashes for SIMATIC WinCC users, they could possibly use the hashes to authenticate themselves,” ICS-CERT explained.

The remotely exploitable vulnerabilities affect SIMATIC HMI Basic Panels (1st and 2nd generation), HMI Comfort Panels, WinCC Runtime Advanced, WinCC Runtime Professional, HMI Mobile Panels, HMI Multi Panels, NET PC-Software (V12 and V13), WinCC V7.x, and the SIMATIC Automation Tool. These products are used for controlling and monitoring machines and plants, communications between controllers and PC-based solutions, and controlling and monitoring physical processes.

Siemens has released updates for most of the impacted products. The company says it’s currently preparing patches for SIMATIC HMI Basic Panels 1st Generation, HMI Mobile Panel 277, and HMI Multi Panels.

Until the fixes become available, organizations are advised to apply defense-in-depth recommendations, use VPNs to protect network communications, and apply the cell protection concept described in Siemens’ operational guidelines for industrial security. Since two of the vulnerabilities can be exploited through port 102/TCP, ICE-CERT recommends blocking all external traffic to that port.

The MitM and resource exhaustion vulnerabilities were reported to Siemens by the Quarkslab team. The authentication bug was identified by Ilya Karpov of Positive Technologies.

Related: Learn More At the ICS Cyber Security Conference

Related: Siemens Fixes Vulnerabilities in Several ICS Products