Siemens this week addressed several vulnerabilities and warned customers about the security risks associated with the use of ActiveX in industrial products.
Microsoft’s ActiveX controls make it possible for websites to provide certain types of content, such as videos and games, and they allow users to interact with certain types of elements in the browser, such as toolbars. However, ActiveX has been known to pose serious security risks and it’s currently only supported by Microsoft on Internet Explorer — ActiveX is not supported by other browsers such as Chrome, Safari or Firefox.
Even Microsoft has advised Internet Explorer 11 users not to disable security settings that prevent the downloading and execution of ActiveX controls, unless absolutely necessary. Malicious hackers can abuse ActiveX to collect information about a user, install malware, or take control of a device.
Some of Siemens’ industrial products — the list includes SIMATIC WinCC, SIMATIC STEP 7, SIMATIC PCS 7, TIA Portal, and S7-PLCSIM Advanced — rely on ActiveX components and customers need to use Internet Explorer to execute these components.
However, the German industrial giant has warned that using Internet Explorer to access untrusted websites can pose serious security risks. Siemens recommends using a web browser that does not support ActiveX if accessing web pages other than the ones associated with the company’s products.
Siemens also informed customers this week that it has patched a high-severity authentication bypass vulnerability in its SCALANCE X industrial switches. According to the company, an unauthenticated attacker with network access to the targeted switch can hack the device by sending a specially crafted GET request to a specific URI on the web-based configuration interface.
Researcher Maxim Rupp, who reported the vulnerability to Siemens, told SecurityWeek that an attacker could exploit this weakness to obtain sensitive internal information, access the device’s configuration interface, and change its settings. Rupp said he reported the flaw to Siemens in early 2019.
The vulnerability has been patched in SCALANCE X-300 and X408 switches, and the vendor has provided mitigations for other affected devices.
Siemens also patched a critical vulnerability in SINEMA Server that can allow an authenticated user with low privileges to perform firmware updates and other operations on a device.
The advisories published this week by Siemens also address a high-severity local privilege escalation vulnerability in TIA Portal, which can allow an attacker to execute code with SYSTEM privileges, and a medium-severity access control issue in SINAMICS PERFECT HARMONY.
Related: Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs
Related: Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants