-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0074
                  SSA-345843: Vulnerabilites in WinCC 7.2
                               17 June 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Siemens WinCC
                      Siemens SIMATIC PCS7
Operating System:     Windows Server 2003
                      Windows Server 2008
                      Windows Server 2008 R2
                      Windows 7
                      Windows XP
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
                      Unauthorised Access             -- Existing Account      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-3959 CVE-2013-3958 CVE-2013-3957
Member content until: Wednesday, July 17 2013

OVERVIEW

        Multiple vulnerabilities have been identified in Siemens SIMATIC WinCC
        version 7.2 and below. SIMATIC PCS 7 Web Server versions 8.0 SP1 and 
        earlier are also affected by these vulnerabilities. [1]


IMPACT

        The vendor has provided the following description regarding these 
        vulnerabilities:
        
        "Vulnerability 1 (CVE-2013-3957)
        
        Attackers might overcome the input filtering of the WinCC Web 
        Navigator login screen and inject SQL statements into queries. By 
        manipulating the database, the attacker can elevate his rights and,
        depending on the system configuration, might be able to gain full 
        system access.
        
        CVSS Base Score 7.5 
        CVSS Temporal Score 5.9 
        CVSS Overall Score 5.9 
        (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
        
        Vulnerability 2 (CVE-2013-3958)
        
        Hard coded credentials are used in the Web Navigator login 
        mechanism. Attackers with network access and knowledge of the 
        credentials could log into the Web Navigator web applications as 
        authenticated user.
        
        CVSS Base Score 7.5 
        CVSS Temporal Score 5.9 
        CVSS Overall Score 5.9 
        (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
        
        Vulnerability 3 (CVE-2013-3959)
        
        A user with authenticated access to the Web Navigator web application 
        can probe forvalid NetBIOS user names by manipulating URL parameters.
        CVSS Base Score 4.0
        CVSS Temporal Score 3.1
        CVSS Overall Score 3.1 
        (AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)" [1]


MITIGATION

        The vendor recommends updating to WinCC 7.2 Update 1. [1]


REFERENCES

        [1] SSA-345843: Vulnerabilites in WinCC 7.2
            http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUb5fvu4yVqjM2NGpAQL9lg/+JvzRv1VVpmICS40CWdLdnr57exhkNyuD
oaYvaoLrQw2jrPJ7ZfzT1VpBGuKwILeR/oqC1o6HJOxoYdYqLvkGXBhhulV1Luvc
nzLyZw7A/L2vsopXlyRdrehPQY44tda1P3nZfMizP/l6X+YoHZs7z6yLbvRmgFyg
CLJ32YJLQaTm2xUjv+1d9kugZN4Qadk0yt/Z7ybRan6V636XEBBgOp36r+zXBvEd
jbkvtFC7OOEgVliS0+VGKwJzzUSPaZ0ea5v0DB6bl8B8xxA6uy1DhYd2a1NgU6f+
KuaBma7KiuEaadXu5XXPLbyCqk//YRvjdawhfo/UQmvCjlQCn+ihS72xADIe0gkQ
w3bcdPG5vu0XR+VM1QVYJ4LrOU6dN2ioJ0G4SnUq8b0N27gJIl/p8NL7ys+0IkSf
bI/gOFC0E44oAV9qDAsQJUhHiSKIdaUss5Acp9IEpEvmWJFRe3090iXENXtNNV0z
egSswXgxKt/Tktu/uyc5EVWMJIchA7D7BlHsspM5Z5Ful1NGEcEoC+4pMJjuELOb
zJaSBTrzY2zJvhNidz8ULJi5eMzoAvx1kTxA4Y/LiOGD/SfKBybN1K6XhVqL5Ms6
l/d6Uyr0yvGb1HxZnMbPSv8BIIKjcI4vkG7QAQNAqRGFtad8unXORTNZ+e3rXa9P
fXltHjb2m3w=
=D3Cv
-----END PGP SIGNATURE-----