German industrial control system manufacturer Siemens announced Monday that it had patched holes in some of its products that appear to resemble holes used by the famous Stuxnet worm in 2010. If left unpatched, vulnerabilities in the company’s Simatic STEP 7 and Simatic PCS 7 software could have allowed the loading of malicious Microsoft Dynamic-link Library files. This in turn could lead to an attack against systems that use STEP 7, a la Stuxnet.
“An attacker can place arbitrary library files into STEP 7 project folders that will be loaded on STEP 7 startup without validation,” reads one part of a advisory issued by the Industrial Control Systems Cyber Emergency Response Team (ISC-CERT).
The new patch updates a mechanism that will reject DLLs in the Step 7 folder, in turn “preventing unintended execution of unchecked code.”
Another flaw, an insecure SQL server authentication vulnerability in the company’s Simatic WinCC and Simatic PCS 7 software, was patched yesterday as well. The vulnerability would have given an attacker the ability to gain access to a target system by using default credentials.
According to the ICS-CERT advisories, the steps taken by Siemens are similar to the steps the company took in 2010, the same year the controversial Stuxnet worm started appearing in industrial control systems throughout Iran. At the time, the worm targeted supervisory control and data acquisition (SCADA) systems by destabilizing the same STEP 7 software.
ICS expert Ralph Langner claimed last year that many holes used by Stuxnet remained unpatched – it’s unclear if these are the same holes however.