Siemens has released patches for some of its SIMATIC human-machine interface (HMI) panels to address a high-severity vulnerability that can be exploited remotely to take full control of a device.
SIMATIC HMI panels are designed for operator control and the monitoring of machines and plants.
Ta-Lun Yen, a researcher at TXOne Networks, an IIoT security-focused joint venture between Trend Micro and Moxa, discovered that these products are affected by a missing authentication issue related to the Telnet service. Affected devices that have Telnet enabled do not require any authentication, allowing a remote attacker to gain full access to a device, Siemens said.
The German industrial giant said the vulnerability (CVE-2020-15798) impacts SIMATIC HMI Comfort Panels, including SIPLUS products designed for extreme conditions, and SIMATIC HMI KTP Mobile Panels. Patches are included in v16 update 3a and later. All previous versions are affected.
In addition to installing the available patches, organizations can disable Telnet to prevent potential attacks exploiting this vulnerability. Siemens pointed out that Telnet is not enabled by default on the impacted devices.
TXOne’s Yen told SecurityWeek that he has not identified many devices that can be targeted from the internet, but noted that there may be some configurations that make them reachable over the intranet.
According to the researcher, an attacker could exploit the vulnerability to use the HMI as a foothold in the targeted network — the devices run Windows CE and he says there is no endpoint protection available.
He also believes an attacker could use the compromised HMI device to reach other systems, such as sensors and PLCs, or to disable them by sending them “weird values.” An attacker could also display inaccurate information in the HMI to avoid raising suspicion while they conduct other malicious activities that could cause damage to an industrial organization.
Yen said the vulnerability can also be leveraged to brick a device and temporarily prevent the operator from interacting with factory processes. It’s also possible to abuse the HMI for cryptocurrency mining, but this scenario is unlikely as it’s economically unfeasible, the researcher noted.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory to warn industrial organizations about the risk posed by this flaw. Trend Micro’s Zero Day Initiative (ZDI), which along with CISA helped coordinate disclosure, will also publish an advisory for this vulnerability in the upcoming period.