Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0129.2 A vulnerability has been identified in Siemens SIMATIC S7-1200 PLC 27 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SIMATIC S7-1200 PLC Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2012-3011 Member content until: Thursday, October 18 2012 Revision History: September 27 2012: Added CVE reference September 18 2012: Initial Release OVERVIEW A vulnerability has been identified in Siemens SIMATIC S7-1200 PLC version 2.x. [1] IMPACT The vendor has provided the following details regarding this vulnerability: "For the convenience of the customer, a Certificate Authority (CA) for HTTPS connections is installed on the Siemens SIMATIC S7-1200 PLC. The user has the option to trust this CA which if selected installs the certificate into the browsers certificate store. Once the user completes this step, the browser will trust any other S7-1200 V2.x PLC on the network. A researcher has demonstrated the ability to obtain the private key of the S7-1200 CA (SIMATIC CONTROLLER). With this private key, an attacker is able to create his own certificate. Using this forged certificate, it is possible to spoof any SSL server certificate and conduct man-in-the-middle attacks on a users browser that is currently trusting this CA." [1] MITIGATION The vendor has provided the following mitigation to reduce the risk of this vulnerability: "Siemens strongly recommends the user uninstall the CA keys from the browsers certificate store. Once this is performed, warning messages will occur when attempting to connect to an S7-1200 PLC. The user can manually confirm the identity of the PLC and its certificate and accept it via the browser. This has to be done once for each S7-1200 PLC on the network." [1] REFERENCES [1] SSA-240718: Insecure storage of HTTPS CA certificate in S7-1200 V2.x http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-240718.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGPo0u4yVqjM2NGpAQL90RAAjVSx1cRzPlwR26TURF49sAbcGRX4viNa 29whW31PsVva/4UNulyp4J05p3/yh8pg7ChaNvQJknAFmo5Kt7S6RLxhiynvg8Qh CtPs/hi46JcT78L1egq8LGBnlFbqe6eiIQsTX3YzFPyv+fdh0qvu/j3eR7lt7eRM zHtFBmWwWCF8igV4P8HOmGdopSt5R2YOhb0muANwsDhl/A3N/SkQLmgKKlEwKaEx sPi4Mz5G7eA7wyjmGp9aqdjmcoYcVMtQR7YPlRSlNuQAqG60q7y+FwSnxo/1o0pC axYdlp9mLCs0se6pX2EiQX+pKijYjcPLLtl5MSJtmfnpd8ZO6kxwb7/yUP+zr1lQ oNkd2B44b4Um57dsLIFo7yUSycRhqJf7Wac5uMhKZDwrvtu3xgGSYrHnLzYvTDLR 4wBL81V0HOYGYHNeVNufAjvqGWvLC1piK+uG8QohPVV9u5nOjlUUKf6Yz4vY6CSK nH793zq02XyZacQnr2IjAH02YZ3EtrWh+gbxwiNuGMdYJeYvDOLWo+Az8Ps+M39I qQRXLmHBN+rhB8FHoOe/h0NafYC/IErgtivt1uuez3VxTtJdkIRGKuU2sHHN/ZEy S8KDj/QNVq+VBF5EMbrcMaSAFSkP0S2ReliBtSgBFwn1LlOOIQdNZ3HOpP7Dmbhe pgPCGmq9kNM= =YnJt -----END PGP SIGNATURE-----