Researchers have discovered two serious vulnerabilities in industrial Ethernet switches manufactured by Siemens that could enable attackers to perform unauthorized actions on the switches without authentication. One of the bugs allows attackers to hijack Web sessions and the other enables them to perform admin tasks on the switches.
The vulnerabilities were discovered by researchers at IOActive and Siemens has released patches for the bugs in the Siemens SCALANCE X-200 switches.
“SCALANCE X-200 switches are used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs). The switches offer a web interface to enable users to change the configuration using a common web browser. An issue in the web server’s authentication of the affected products might allow attackers to hijack web sessions over the network without authentication,” the Siemens advisory says.
The vulnerabilities lie in the authentication system of the switches, and Siemens said that attackers could use the flaws to bypass authentication and take actions on the switches that shouldn’t be possible.
“The authentication of the integrated web server of SCALANCE X-200 switches might allow attackers to hijack web sessions over the network without authentication due to insufficient entropy in its random number generator.”
IOActive researcher Eireann Leverett, who discovered the vulnerabilities, said that the Siemens security response team was quick to acknowledge his findings and set to work on a fix immediately.
“Siemens ProductCERT were professional, courteous, and did not adopt an adversarial attitude when I contacted them about the vulnerabilities. Consequently, we were able to clarify the vulnerabilities quickly, and they produced a patch within three months,” said Leverett. “I challenge other ICS vendors to match this timeline for security patching in the future.”
That kind of response is relatively rare in the ICS and SCADA software and hardware world, which lags quite a bit behind traditional software vendors in their security response processes. Tales of researchers waiting months, or in some cases years, for responses or patches for vulnerabilities they’ve reported in industrial control software and SCADA systems are not uncommon. That seems to be changing slowly, as researchers are increasingly spending more time and energy looking for vulnerabilities in these products, as are attackers.