In the wake of a report about vulnerabilities in its products, Siemens issued a patch for its Simatic S7 industrial controllers on Monday. ICS CERT, the Cyber Emergency Response Team for Industrial Control Systems, issued an alert advising Siemens customers to apply the patch.
Siemens said its firmware update for the CPU component of the company’s Simatic S7 programmable logic controllers (PLCs). The company acknowledged that the S7 PLCs contained a vulnerability that could have allowed attackers to capture and replay management commands sent to a PLC. The updated firmware will prevent commands captured from a management console to be transmitted to a controller and executed at a later time.
According to Siemens, unpatched S7 PLCs could be tricked into executing replayed commands (i.e. a STOP command) even if that PLC is protected by a password. More troubling, the captured management frames would appear to work on other Siemens S7 controllers within the same plant or other Siemens installations, provided those controllers were not password protected or somehow shared a password.
Siemens provided a temporary work around for a second denial of service vulnerability, also discovered by NSS Labs researcher Dillon Beresford, that caused the S7 PLC’s CPU to stop when traffic to the device – say from a routine network scan – overloaded its communications interface. Siemens said such a shutdown would be the equivalent of a sudden power loss affecting the device. To mitigate that threat, the company recommended disabling the CPU’s Web server until the company can issue another firmware update that "improves" the behavior.
The vulnerabilities in the Siemens products – which were also a target of the attackers responsible for the Stuxnet worm – were disclosed to the company and ICS-CERT by Beresford in May. According to the ICS-CERT Alert, successful exploitation of the vulnerabilities could result in the loss of process control and could possibly cause damage to critical industrial control systems.
Beresford was originally scheduled to present information on the vulnerabilities at the TakedownCon in Dallas, but cancelled that talk because of concerns raised by Siemens and the U.S. Department of Homeland Security (DHS). He is now scheduled to present information on the Siemens vulnerability at the annual Black Hat Briefings conference in Las Vegas in August.
Beresford and Siemens engaged in a war of words after he disclosed the breach, with Siemens suggesting that Beresford’s method of testing didn’t correlate with real-world attack scenarios. The company kept up that line on Monday in its security advisory (PDF), saying that the holes were discovered “under laboratory conditions and without any IT security measures in place.” The company notes that the remote attacks would need to come from an attacker with "access to the automation network," though previously documented attacks on industrial control systems – including Stuxnet – frequently share that characteristic.
In a message posted on an online discussion forum frequented by industrial control specialists, Beresford said that the flaws he discovered are not difficult for a typical hacker ot exploit, and that he was able to compromise vulnerable S7 PLCs using Metasploit, a free penetration testing tool.
ICS security expert Ralph Langner has also called on Siemens to address unpatched vulnerabilities in its industrial control system hardware and software. Writing last week, Langner said that many of the critical vulnerabilities used by the Stuxnet worm remain unaddressed and could be targeted by subsequent attackers.