Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0044 SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11 20 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens WinCC (TIA Portal) Operating System: Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows 7 Windows XP Impact/Access: Modify Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Member content until: Friday, April 19 2013 OVERVIEW Multiple vulnerabilities have been identified in Siemens SIMATIC WinCC TIA Portal version 11. [1] IMPACT The vendor has provided the following description regarding these vulnerabilities: "Vulnerability 1 (CVE-2011-4515) User credentials for the HMI's web application are stored within the HMI's system. This data is obfuscated in a reversible way and is readable and writable for users with physical access or Sm@rt Server access to the system. CVSS Base Score 4.6 CVSS Temporal Score 3.6 CVSS Overall Score 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) Vulnerability 2 By manipulating HTTP requests an authenticated attacker may crash the HMI's web application. The web application will become unavailable until the device is restarted. CVSS Base Score 4.0 CVSS Temporal Score 3.1 CVSS Overall Score 3.1 (AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C) Vulnerability 3 The HMI's web application is susceptible to stored Cross-Site-Scripting attacks. An authenticated user may store data on the web application which will execute malicious JavaScript when the affected page is accessed by other users. CVSS Base Score 4.0 CVSS Temporal Score 3.1 CVSS Overall Score 3.1 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C) Vulnerability 4 By manipulating the URL an authenticated attacker may have access to source code of the panel's server-side web application files, which may include user defined scripts. CVSS Base Score 4.0 CVSS Temporal Score 3.1 CVSS Overall Score 3.1 (AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C) Vulnerability 5 If a user clicks on a malicious link which seems to lead to a HMI web application, it is possible to display any data to the user (HTTP response splitting). CVSS Base Score 4.3 CVSS Temporal Score 3.4 CVSS Overall Score 3.4 (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C) Vulnerability 6 If a user clicks on a malicious link which seems to lead to a HMI web application, it is possible to display any data to the user (server-side script injection). CVSS Base Score 4.3 CVSS Temporal Score 3.4 CVSS Overall Score 3.4 (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C) Vulnerability 7 The HMI's web application is susceptible to reflected Cross-Site-Scripting attacks. If a legitimate user clicks on a malicious link, JavaScript code may get executed and session information may be stolen. CVSS Base Score 4.3 CVSS Temporal Score 3.4 CVSS Overall Score 3.4 (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)" [1] MITIGATION The vendor recommends updating to WinCC (TIA Portal) V12. [1] REFERENCES [1] SSA-212483: Vulnerabilities in WinCC (TIA Portal) V11 http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUUlFU+4yVqjM2NGpAQKmEw/+LXHCNw89J53//u1oBRY2bm7JYYseuq3s j0Vm/RntcJewIXiqzBxItmsuDWNvlIZPAzD/2RlBFj2CqeRxoe/8xjzOWKLsGYI9 1ODVNuz0fOWwIlg8AosvgU6K0GE0NKToqEI6a8g1b91lvprVBM9Q+RRWgjPHKeOc kd8BQ0HIjNkv8Td7rnAgim2xL5TlkWM84cmdatCJYxj89V0z0C9uVAwZLNzXgdlq XSmatUACqMOs5ZPt8iXQQTvJk43Zd3+Zy6th7Uh7RscZWf83ZZ5XQx1/vWgc8qs8 jPPC6tGI4VTf/X+YHhqWgYmOzeuxRT+ySyUDwrWcw6kc50mEdJ24SyUWICjVJIhM P/MmSdeMyW8TX9xL7ctl1gU/y1NaWH00PHW7F0CIfdA6VS+NITmCCxV0/Z2ysxGS Qq/uTpplCjwsZvEAsoQLOCq0jmvL2W3+b8ZH1yCk1+Sndjxgj7/SSdHx4RgJKIyD EcTFZds+No6P4Pq9lyB1geEGDPhBLzY8ypgRj8/NPLttaUp/IyIz1ePoznjsuaBB GuU3RwgW6IUhyln1uv1xqI+CEN4zdD/S1vAGkNFpGf1XsTruEVRVk5S0vVRWcgi9 I1/zIawU+F6jn5gcyHTJrT7TBoPYO6GLSb2JZr63Ockenxza5aDFWXeFZ8u1b7i4 qTC/BJpiFSg= =ckCW -----END PGP SIGNATURE-----