Hash: SHA1

                         AUSCERT Security Bulletin

           SSA-714398: Vulnerabilities in WinCC 7.0 SP3 Update 1
                               20 March 2013


        AusCERT Security Bulletin Summary

Product:              Siemens WinCC & SIMATIC PCS7
Operating System:     Windows Server 2003
                      Windows Server 2008
                      Windows Server 2008 R2
                      Windows 7
                      Windows XP
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Existing Account            
                      Unauthorised Access             -- Existing Account            
                      Reduced Security                -- Existing Account            
Resolution:           Patch/Upgrade
Member content until: Friday, April 19 2013


        Multiple vulnerabilities have been identified in Siemens SIMATIC WinCC
        version 7.0 SP3 Update 1 and below. SIMATIC PCS 7 Web Server is also 
        affected by these vulnerabilities. [1]


        The vendor has provided the following description regarding these 
        "Vulnerability 1
        WebNavigator passwords stored in the SQL database are only obfuscated.
        CVSS Base Score		2.7
        CVSS Temporal Score	2.1
        CVSS Overall Score	2.1 
        Vulnerability 2
        Users with legitimate, non-privileged access to WinCCs MS SQL database
        can retrieve
        obfuscated user passwords for WebNavigator. For doing this, access to 
        the system is needed either locally or from the adjacent network and
        the users account must have adequate permissions.
        CVSS Base Score		2.7
        CVSS Temporal Score	2.1
        CVSS Overall Score	2.1 
        Vulnerability 3
        Authenticated users may manipulate the URL in the web browser to
        access the file system of the web server. With this vulnerability they
        may read all the files that are readable in the web server context.
        CVSS Base Score		4.0
        CVSS Temporal Score	3.1
        CVSS Overall Score	3.1 
        Vulnerability 4
        An ActiveX control RegReader which is installed in the users web 
        browser is susceptible to a buffer overflow. An attacker might trick a
        victim into visiting a malicious web site which calls this ActiveX 
        control, triggers the overflow and take over the victims PC.
        CVSS Base Score		6.8
        CVSS Temporal Score	5.3
        CVSS Overall Score	5.3 
        Vulnerability 5
        By opening a manipulated project file, sensitive data can be 
        transmitted over the network or a DoS condition can be provoked.
        CVSS Base Score		5.8
        CVSS Temporal Score	4.5
        CVSS Overall Score	4.5 
        Vulnerability 6
        By sending a specially crafted packet to a dynamically assigned port,
        an attacker can generate a DoS condition against WinCC.
        CVSS Base Score		6.1
        CVSS Temporal Score	5.0
        CVSS Overall Score	5.0
        (AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C)" [1]


        The vendor recommends updating to WinCC 7.2. [1]


        [1] SSA-714398: Vulnerabilities in WinCC 7.0 SP3 Update 1

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967