Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0044
SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11
20 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens WinCC (TIA Portal)
Operating System: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows XP
Impact/Access: Modify Arbitrary Files -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
Member content until: Friday, April 19 2013
OVERVIEW
Multiple vulnerabilities have been identified in Siemens SIMATIC WinCC
TIA Portal version 11. [1]
IMPACT
The vendor has provided the following description regarding these
vulnerabilities:
"Vulnerability 1 (CVE-2011-4515)
User credentials for the HMI's web application are stored within
the HMI's system. This data is obfuscated in a reversible way and is
readable and writable for users with physical access or Sm@rt Server
access to the system.
CVSS Base Score 4.6
CVSS Temporal Score 3.6
CVSS Overall Score 3.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Vulnerability 2
By manipulating HTTP requests an authenticated attacker may crash the
HMI's web application. The web application will become unavailable
until the device is restarted.
CVSS Base Score 4.0
CVSS Temporal Score 3.1
CVSS Overall Score 3.1
(AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C)
Vulnerability 3
The HMI's web application is susceptible to stored
Cross-Site-Scripting attacks. An authenticated user may store data on
the web application which will execute malicious JavaScript when the
affected page is accessed by other users.
CVSS Base Score 4.0
CVSS Temporal Score 3.1
CVSS Overall Score 3.1
(AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C)
Vulnerability 4
By manipulating the URL an authenticated attacker may have access to
source code of the panel's server-side web application files, which
may include user defined scripts.
CVSS Base Score 4.0
CVSS Temporal Score 3.1
CVSS Overall Score 3.1
(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
Vulnerability 5
If a user clicks on a malicious link which seems to lead to a HMI web
application, it is possible to display any data to the user (HTTP
response splitting).
CVSS Base Score 4.3
CVSS Temporal Score 3.4
CVSS Overall Score 3.4
(AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)
Vulnerability 6
If a user clicks on a malicious link which seems to lead to a HMI web
application, it is possible to display any data to the user
(server-side script injection).
CVSS Base Score 4.3
CVSS Temporal Score 3.4
CVSS Overall Score 3.4
(AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)
Vulnerability 7
The HMI's web application is susceptible to reflected
Cross-Site-Scripting attacks. If a legitimate user clicks on a
malicious link, JavaScript code may get executed and session
information may be stolen.
CVSS Base Score 4.3
CVSS Temporal Score 3.4
CVSS Overall Score 3.4
(AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)" [1]
MITIGATION
The vendor recommends updating to WinCC (TIA Portal) V12. [1]
REFERENCES
[1] SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUlFU+4yVqjM2NGpAQKmEw/+LXHCNw89J53//u1oBRY2bm7JYYseuq3s
j0Vm/RntcJewIXiqzBxItmsuDWNvlIZPAzD/2RlBFj2CqeRxoe/8xjzOWKLsGYI9
1ODVNuz0fOWwIlg8AosvgU6K0GE0NKToqEI6a8g1b91lvprVBM9Q+RRWgjPHKeOc
kd8BQ0HIjNkv8Td7rnAgim2xL5TlkWM84cmdatCJYxj89V0z0C9uVAwZLNzXgdlq
XSmatUACqMOs5ZPt8iXQQTvJk43Zd3+Zy6th7Uh7RscZWf83ZZ5XQx1/vWgc8qs8
jPPC6tGI4VTf/X+YHhqWgYmOzeuxRT+ySyUDwrWcw6kc50mEdJ24SyUWICjVJIhM
P/MmSdeMyW8TX9xL7ctl1gU/y1NaWH00PHW7F0CIfdA6VS+NITmCCxV0/Z2ysxGS
Qq/uTpplCjwsZvEAsoQLOCq0jmvL2W3+b8ZH1yCk1+Sndjxgj7/SSdHx4RgJKIyD
EcTFZds+No6P4Pq9lyB1geEGDPhBLzY8ypgRj8/NPLttaUp/IyIz1ePoznjsuaBB
GuU3RwgW6IUhyln1uv1xqI+CEN4zdD/S1vAGkNFpGf1XsTruEVRVk5S0vVRWcgi9
I1/zIawU+F6jn5gcyHTJrT7TBoPYO6GLSb2JZr63Ockenxza5aDFWXeFZ8u1b7i4
qTC/BJpiFSg=
=ckCW
-----END PGP SIGNATURE-----