Siemens, a leading producer of systems for power generation and transmission as well as medical diagnosis, has patched three vulnerabilities affecting a variety of SIMATIC HMI devices.
The multinational technology company was first alerted to the vulnerabilities, among them two Schneider kits and a number of remote and local exploits, by the Quarkslab team and Ilya Karpov of Positive Technologies.
Some of the affected devices include HMI Basic Panels 2nd Generation, WinCC Runtime Advanced, and WinCC Runtime Professional.
“An attacker exploiting these vulnerabilities could conduct man-in-the-middle attacks, denial‑of‑service attacks, and possibly authenticate themselves as valid users,” reports the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an updated advisory.
The first vulnerability (CVE-2015-1601) could enable an attacker with access to the network path between the PLCs and their communication partners to intercept Siemens communications at Port 102/TCP and execute a man-in-the-middle (MitM) attack. This vulnerability has received a CVSS rating of 5.8.
Attackers who are able to successfully conduct a MitM attack and who can gain access to the network path between an HMI panel and the MitM PLC can subsequently exploit a resource exhaustion vulnerability (CVE-2015-2822), rated 7.1 on the CVSS scale, and execute a denial-of-service (DoS) attack by sending specially crafted packets to Port 102/TCP of the HMI panel.
The third and final vulnerability is an authentication vulnerability that affects SIMATIC WinCC and SIMATIC PCS 7.
“If attackers obtain password hashes for SIMATIC WinCC users, they could possibly use the hashes to authenticate themselves,” the ICS-CERT advisory warns.
The impact of each of these vulnerabilities varies based upon an affected organization’s operational environment, architecture, product implementation, and a number of other factors. Links to updates for all the reported vulnerable SIMATIC products are available here.
For more information on industrial control systems (ICS) security, please click here.