Siemens industrial equipment commonly found in fossil-fuel and large-scale renewable power plants are riddled with multiple security vulnerabilities, the most severe of which are critical bugs allowing remote code-execution.
The affected product is SPPA-T3000, a distributed control system used for orchestrating and supervising electrical generation at major power plants in the U.S., Germany, Russia and other countries. It is plagued with 17 different bugs, uncovered by researchers at Positive Technologies.
“By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, thereby taking control of operations and disrupting them,” Vladimir Nazarov, head of ICS security at Positive Technologies, said in a media advisory issued on Thursday. “This could potentially stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.”
The vulnerabilities were discovered in two specific components of the platform: The application server (seven bugs) and the migration server (10 found).
The most severe of the issues can enable RCE on the application server. For instance, CVE-2019-18283, a critical deserialization of untrusted data bug, would allow an attacker to “gain remote code-execution by sending specifically crafted objects to one of its functions,” according to Siemens’ advisory.
Two other critical vulnerabilities, CVE-2019-18315 and CVE-2019-18316, would allow an attacker with network access to the application server to gain RCE by sending specifically crafted packets to the 8888/TCP and 1099/TCP ports, respectively. And CVE-2019-18314, another critical improper authentication flaw, would allow such an attacker to gain RCE by sending specifically crafted objects via a Remote Method Invocation (RMI).
“An additional 10 vulnerabilities were found in the MS-3000 migration server,” according to Positive Technologies’ statement. “Of these, two enable remote reading and writing of arbitrary files. For example, an attacker could read /etc/shadow, which contains hashes that could be used for brute-forcing user passwords. Several heap overflows were identified, which could be exploited as part of denial-of-service (against the migration server) or other attacks.”
One notable flaw is CVE-2019-18313, a critical unrestricted upload bug, which exposes remote procedure calls (RPCs) intended for administration, by not requiring authentication. This would allow an attacker with network access to the MS-3000 Server component to gain RCE by sending specifically crafted objects to one of the RPC services, according to Positive Technologies.
Siemens noted that exploitation of any of the vulnerabilities requires access to either Siemens’ Application or Automation Highway (the networks linking the components).
“Both highways should not be exposed if the environment has been set up according to the recommended Siemens’ operational guidelines,” the vendor noted.
Siemens said that it’s working on updates; in the meantime, power plants should restrict access to the Application Highway using the SPPA-T3000 Firewall, and there should be no bridging of an external network to either the Application or Automation highways, it said.
None of the bugs has been seen being exploited in the wild, according to Siemens.