A Siemens SIMATIC conundrum: authentication bypass bungling

Published: 2011-12-22
Last Updated: 2011-12-22 19:22:11 UTC
by Russ McRee (Version: 1)
5 comment(s)

In yet another case of vendors gone wild @XSSniper (Billy Rios) dropped an interesting post yesterday well worthy of ISC Diary reader scrutiny. Slashdot and Twitter are buzzing and Johannes' ISC StormCast for today discusses the issue as well.

In case you missed it, in May 2011 Billy responsibly reported an authentication bypass flaw for Siemens SIMATIC systems. Long story short (read the article for yourself), said flaw could lead to gaining "remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world." Yet, according to Siemens there are "no open issues regarding authentication bypass bugs."

Hmm...forgive me in advance for shamelessly repeating Billy's use of the classic yet irresistible pop culture reference, but this does indeed appear to be a case of "these aren't the vulns you're looking for."

On December 9th, ICS-CERT issued an alert warning control system owners and operators of control system Internet accessibility discovery via SHODAN to locate Internet facing control systems. One need only execute the Shodan query mentioned in Billy's post to grasp the issue.

Control system owners might consider, as LostCluster commented on Slashdot, "losing the remote." Web access to control systems? As Forrest said, "I'm not a smart man," but if I've done my math correctly at least four of the SANS 20 Critical Security Controls should give pause regarding remote (web) access to control systems. Or is it five? :-)

For Siemens and other vendors, please remember that coordinated disclosure is a two-way process. Researcher finds bug, researcher reports bug, vendor acknowledges report, vendor takes some time to fix bug (yes, sometimes a long time), vendor releases fix, everyone is happy. Yet, as it seems in this case, recalling another pithy and apropos modern analogy, it appears that "what we've got here is a failure to communicate."

All humor and witty repartee aside, the implications are simple. Life and death potentially hangs in the balance between coordinated disclosure and timely repair of control system vulnerabilities. And you can quote me on that. 

What say you? Comments welcome.

UPDATE 12/22/11

From Siemens:

"Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities."

 

 

 

 

 

Keywords:
5 comment(s)

Comments

As a FYI:

For most of the concerned CPUs of the S7 series are operating system updates available from the Siemens support page

(e.g. here for CPU 314: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805161&treeLang=en).

No security solution exists at the moment for the WinCC flexible system :(

Wishing everyone in the security industry a great Christmas and New Year!
actually it's Researcher finds bug, researcher reports bug, vendor routes to /dev/null , profit, everyone (vendor) is happy
Yet another sad example of why responsible disclosure does not work when the people taking the risk are NOT the ones paying the cost.
I see that Siemens folk are in damage control mode-
"http://www.industry.siemens.com/topics/global/en/industrial-security/pages/Default.aspx"
"December 22, 2011

Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities."
ICS-CERT ADVISORY
ICSA-11-356-01-SIEMENS SIMATIC HMI AUTHENTICATION VULNERABILITIES

http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf

Diary Archives