Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking.
Sergey Temnikov of Kaspersky Lab discovered that several Siemens products using the Discovery Service of the OPC UA protocol stack are exposed to remote attacks due to a security flaw described by ICS-CERT as an improper restriction of XML external entity (XXE) reference issue.
The vulnerability exists in the OPC Foundation’s OPC UA .NET sample code and older versions of the Local Discovery Service (LDS). A remote attacker can exploit the security hole to trick the .NET libraries used by LDS and OPC UA servers into accessing arbitrary network resources, which can lead to a DoS condition.
The flaw is tracked as CVE-2017-12069 and it has been assigned a CVSS score of 8.2. It affects various versions of the Siemens SIMATIC PCS 7 distributed control system (DCS), SIMATIC WinCC supervisory control and data acquisition (SCADA) system, the SIMATIC WinCC Runtime Professional human-machine interface (HMI), the SIMATIC NET PC software, and the SIMATIC IT Production Suite.
The vendor has released updates for some of the affected products and advised users to disable the OPC UA LDS if not needed. The company noted that some OPC applications can work even without this service.
While ICS-CERT claims there is no evidence of public exploits targeting the vulnerability, the OPC Foundation’s own advisory lists the flaw as being exploited.
High severity vulnerabilities have also been found in the Siemens LOGO! universal logic module. The product, designed for small-scale automation tasks, is used worldwide, particularly in commercial facilities and transportation systems.
Siemens LOGO!8 BM devices are affected by a vulnerability that allows a network attacker to obtain an active user’s session ID and hijack their session (CVE-2017-12734), and a weakness that can be leveraged by a man-in-the-middle (MitM) attacker to decrypt and modify network traffic (CVE-2017-12735).
The insufficiently protected credentials issue was discovered by researcher Maxim Rupp, who has found numerous vulnerabilities in ICS products in the past years. This problem was addressed by the vendor with the release of firmware version 1.81.2. The MitM flaw can be mitigated by implementing various security measures.
The security hole, discovered by Siemens itself, can be exploited by a network attacker to cause a DoS condition by sending a specially crafted PROFINET DCP packet as a local ethernet broadcast.
Siemens patched the vulnerability with the release of firmware version 2.1.3.