Siemens has made an update available for some of its SIMATIC PCS 7 distributed control systems that are impacted by a remotely exploitable input validation vulnerability.
Siemens said version 8.2 and V8.1 prior to 8.1 SP1 with WinCC v7.3 Update 13 are affected.
“Successful exploitation of this vulnerability could allow a remote authenticated attacker to crash services on the devices,” according to an advisory published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Managers should update V8.1 to V8.1 SP1 with WinCC V7.3 Upd 13. The remaining affected versions are still unpatched, but Siemens said it is working on fixes. In the meantime, the ICS giant recommends applying cell protection and using a VPN for network communication between cells.
Kaspersky Lab researchers Sergey Temnikov and Vladimir Dashchenko privately disclosed the vulnerability to Siemens. The bug, CVE-2017-14023, is described as improper input validation.
“The improper input validation vulnerability has been identified, which may allow an authenticated remote attacker who is a member of the administrators group to crash services by sending specially crafted messages to the DCOM interface,” ICS-CERT said in its advisory.
Siemens describes SIMATIC PCS 7 as a control system for automated production processes. It can be found in critical industries worldwide, including chemical, energy, food and water.
Advantech WebAccess Patched
ICS-CERT also published an advisory yesterday about two other remotely exploitable flaws in Advantech WebAccess, a browser-based HMI and SCADA system.
Advantech said versions prior to V8.2_20170817 are affected, and attackers with a relatively low skill level could obtain remote code execution. A new version of Advantech WebAccess is available that addresses the flaw.
The flaws were privately disclosed to Advantech by the Zero Day Initiative.
The more severe of the bugs is an untrusted pointer dereference, CVE-2017,12719, that allows a remote attacker to execute code that causes the application to become unresponsive, ICS-CERT said.
The other flaw is a stack-based buffer overflow, CVE-2017-14016.
“The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process,” ICS-CERT said