Global industrial supplier Siemens has patched two critical vulnerabilities that it believes are likely being exploited.
Organizations running products using the Siemens WinCC application are urged to apply available patches immediately; the company said it is working on updates for any remaining affected products.
An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified the affected products:
- SIMANTIC WinCC: V7.0 SP2 and earlier: All versions; V7.0 SP3 and earlier: All versions; V7.2: All versions prior to V7.2 Update 9; and V7.3: All versions prior to V7.3 Update 2.
- SIMANTIC PCS7: V7.1 SP4 and earlier: All versions; V8.0: All versions prior to V8.0 SP2 with WinCC V7.2 Update 9; and V8.1: All versions with WinCC V7.3 prior to V8.1 Update 2.
- TIA Portal V13 (including WinCC Professional Runtime): All versions prior to V13 Update 6.
The WinCC application is a SCADA program used for process visualization in a number of industries and is considered the industry standard, according to Siemens. Within the Simantic product line, for example, is integrated into the HMI, or Human Machine Interface, component. TIA Portal, meanwhile, is engineering software used in the Simantic product line.
ICS-CERT warns that the vulnerabilities are remotely exploitable, and that exploits have likely been used in a recent, unidentified attack campaign. Siemens WinCC is fairly ubiquitous, deployed in critical infrastructure such as energy, chemical, food and agriculture and wastewater systems in the United States and Europe primarily.
“A component within WinCC could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server,” ICS-CERT said of the vulnerabilities, which have been assigned CVE-2014-8551 and given the highest criticality rating of 10.
Successful exploits of these vulnerabilities allow for remote code execution and for the attacker to steal files from a server running WinCC, ICS-CERT said.
“An attacker with a low skill would be able to exploit these vulnerabilities,” the advisory said; links to the respective patches are available in the advisory as well.