The Department of Homeland Security and the ICS-CERT issued an advisory yesterday warning of serious vulnerabilities in Siemens industrial control software deployed in a number of industries including water, gas and oil, and chemical.

Siemens said it has patched the flaws in a new version of its WinCC TIA Portal. The software is an HMI, or Human Machine Interface, package that is an interface between a programmable logic controller (PLC) and the operator. HMIs offer process visualization and other functions giving operators a visual representation of an industrial process.

Multiple vulnerabilities affecting the HMI’s Web server and internal password store were discovered by researchers at Cylance and Positive Technologies that are not remotely exploitable. An attacker would have to use social engineering to gain access to a vulnerable portal, or possess valid user credentials.

ICS-CERT said no public exploits are in the wild.

“Possible attacks require either physical access to the HMI or an unauthenticated user, so an attacker must either have valid credentials or use social engineering as a legitimate user,” the advisory said. “In addition, the Web server of the system must be enabled for the Web-based vulnerabilities.”

The HMI system stores user credentials for its Web applications; the credentials are obfuscated in a reversible way, according to the alert. Users with physical access or Sm@rt Server access can read the credentials.

In addition to the password issue, researchers also discovered an input validation issue that could crash the HMI Web application, as well as a cross-site scripting vulnerability that could allow an authenticated user to store malicious Javascript that would be run by a user visiting an infected page. The researchers also found a directory traversal bug that could give an attacker access to the Web app’s source code by simply manipulating a URL.

In addition, separate HTTP response splitting, server-side script injection and a reflecting cross-site scripting flaw were discovered that would either display restricted data to a user or enable an attacker to run malicious Javascript.

The Siemens advisory and patch details can be found here. ICS-CERT said an attacker with low to medium skill could exploit the flaws.

“All vulnerabilities are fixed in the new software version WinCC (TIA Portal) V12. As a workaround to close the Web-based vulnerabilities, the HMI’s Web server may be disabled,” ICS-CERT said.

Categories: Critical Infrastructure