Siemens Swats Security Bugs Affecting PCS 7

Siemens has updated its SIMATIC PCS 7 product to plug a number of security vulnerabilities.

The vulnerabilities actually reside in the company’s WinCC product, a supervisory control and data acquisition (SCADA) system that is integrated into the SIMATIC environment. The company patched WinCC in July.

According to Siemens, the update addresses five issues – the most serious of which could permit an attacker under certain conditions to escalate privileges in the WinCC Project administration application. In order to exploit the issue, the attacker would have to have network access to the WinCC server.

Related: Learn More at the 2014 ICS Cyber Security Conference

“A hard coded encryption key could allow privilege escalation in the WinCC Project administration application if its network communication on port 1030/tcp of a legitimate user can be captured,” the company explained in an advisory.

The second most severe of the vulnerabilities is a privilege escalation issue as well. According to Siemens, the database server of SIMATIC WinCC could allow authenticated users to escalate their privileges in the database if a specially-crafted command is sent to the database server at port 1433/tcp. Exploiting this issue requires authenticated access.

Two of the remaining vulnerabilities are related to WinCC’s WebNavigator server. The SIMATIC WinCC WebNavigator server at port 80/tcp and port 443/tcp could allow unauthenticated access to sensitive data if an attacker sends specially-crafted HTTP requests. In addition, the second vulnerability allows remote authenticated users to escalate privileges in WinCC.

The final issue rests with the database server of SIMATIC WinCC, and could allow authenticated users to escalate their privileges in the database if a specially crafted command is sent to the database server at port 1433/tcp.

“Siemens has released SIMATIC WinCC V7.3 [1,2] and SIMATIC PCS7 V8.1 [3] which fix these vulnerabilities and recommends upgrading as soon as possible,” according to the advisory. “Until the updates can be deployed, Siemens advises to apply the following steps to mitigate the risk:

• Limit the WebNavigator server access to trusted networks/clients only
• Ensure that the WebNavigator clients authenticate themselves against the WebNavigator server (e.g. use client certificates)
• Restrict access to the WinCC database server at port 1433/tcp to trusted entities
• Deactivate all unnecessary OS users on WinCC server
• Run WinCC server and engineering stations within a trusted network, or
• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. establish a VPN tunnel).

 “SIMATIC WinCC V7.3 introduces the feature “Encrypted Communications”,” the company noted. “The feature allows operators to add an extra layer of security to protect the server’s communication. Siemens strongly recommends activating this feature.”

In addition, the company recommends protecting network access to the SIMATIC WinCC server and follow security recommendations provided by ICS-CERT.

Related: Learn More at the 2014 ICS Cyber Security Conference