Siemens Patches Authentication Bypass Flaw in SiPass Server

Siemens patches four vulnerabilities, including a critical authentication bypass flaw, in its SiPass integrated access control server.

A handful of vulnerabilities in Siemens’ SiPass integrated server have been patched, including one that allows an attacker to bypass authentication on the box.

SiPass is the company’s integrated access control server managing physical access in a number of industries and use cases. The product supports card readers and integrates with video surveillance equipment, among other features and capabilities. Hospitals, airports and manufacturing facilities are listed by Siemens as ideal use cases for the server.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on Thursday posted an advisory warning users that they should update the server immediately to V2.70 as all prior versions are affected, the advisory said.

“Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to the server to perform administrative operations,” ICS-CERT said.

The improper authentication bug, CVE-2017-9939, earned a CVSS base score of 9.8, just shy of the maximum 10. According to ICS-CERT, an attacker who has network access to the SiPass server could bypass authentication on the device and run code or operations of their choice.

Three other vulnerabilities of lesser criticality were also patched in the update. CVE-2017-9940 is an improper privilege management flaw that allows an attacker with lesser privileges to read or write files to the SiPass server over the network.

The update also addresses a man-in-the-middle vulnerability, CVE-2017-9941. An attacker positioned between the SiPass server and integrated clients could access communication between the two points.

Finally, CVE-2017-9942, is an issue where passwords were being stored in a recoverable format, allowing a local attacker to obtain those credentials.

Siemens also patched two vulnerabilities in its SIMATIC SmartClient Android apps that enable remote operating and management of SIMATIC Human Machine Interface (HMI) systems.

SIMATIC WinCC SmartClient for Android and SmartClient Lite for Android versions prior to V1.0.2.2 are affected, Siemens said.

“Successful exploitation of these vulnerabilities could allow an attacker in a privileged network position to read and modify data within a Transport Layer Security TLS session,” ICS-CERT said in an advisory.

The update addresses a pair of flaws. The first is a man-in-the-middle vulnerability where an existing TLS implementation can be abused to allow an attacker to access data within a TLS session; CVE-2017-6870 affects only WinCC SmartClient for Android.

The second bug, CVE-2017-6871, is an authentication bypass vulnerability. It requires that an attacker have physical access to an unlocked Android device running the software, and that authentication against SmartClient Lite for Android could be bypassed.

Suggested articles