Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0034 Siemens FactoryLink Multiple ActiveX Vulnerabilities 9 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens FactoryLink Publisher: US-CERT Operating System: Windows 2000 Windows XP Windows Server 2003 Windows Vista Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Overwrite Arbitrary Files -- Remote with User Interaction Create Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-4056 CVE-2011-4055 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-11-343-01.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT Advisory ICSA-11-343-01 ICS-CERT ADVISORY ICSA-11-343-01 SIEMENS FACTORYLINK MULTIPLE ACTIVEX VULNERABILITIES January 04, 2012 OVERVIEW ICS-CERT originally released Advisory ICSA-11-343-01P on the US-CERT secure portal on December 09, 2011. This web page release was delayed to allow users time to download and install the update. Researcher Kuang-Chun Hung of Taiwans Information and Communication Security Technology Center (ICST) has identified two vulnerabilities affecting ActiveX components in the Siemens Tecnomatix FactoryLink application. The report included buffer overflow and data corruption vulnerabilities. [a] ICS-CERT has coordinated with Siemens; Siemens has released a patch that addresses the identified vulnerabilities. ICS-CERT has confirmed that the Siemens patch resolves the reported vulnerabilities. AFFECTED PRODUCTS The following Siemens Tecnomatix FactoryLink versions are affected: V8.0.2.54 V7.5.217 (V7.5 SP2) V6.6.1 (V6.6 SP1). IMPACT Successful exploitation of the reported vulnerabilities could allow an attacker to perform malicious activities including denial of service and arbitrary code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. BACKGROUND Siemens Tecnomatix FactoryLink software is used for monitoring and controlling industrial processes. FactoryLink is used to build applications such as human-machine interface systems. FactoryLink is implemented across a variety of industrial processes including oil and gas, chemicals, food and beverage, and building automation. Siemens has announced that FactoryLink is now considered a mature product and will not offer FactoryLink after December 2012. [b] VULNERABILITY CHARACTERIZATION BUFFER OVERFLOW VULNERABILITY OVERVIEW This vulnerability is exploited by inputting a long string to a specific parameter causing a buffer overflow that could allow the execution of arbitrary code. CVE-2011-4055 has been assigned to this vulnerability. [c] Siemens assessment of the vulnerability using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 7.7. [d] VULNERABILITY DETAILS EXPLOITABILITY This vulnerability is remotely exploitable. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit. EXISTENCE OF EXPLOIT No publicly known exploits specifically target this vulnerability. DIFFICULTY An attacker with moderate skill level could exploit this vulnerability. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit. DATA CORRUPTION VULNERABILITY OVERVIEW This vulnerability is exploited by inputting arbitrary data, causing a file save to any specified location on the target system. CVE-2011-4056 has been assigned to this vulnerability. [e] Siemens assessment of the vulnerability using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 7.7. [d] VULNERABILITY DETAILS EXPLOITABILITY This vulnerability is remotely exploitable. Social engineering may be required to execute a remote exploit via a manipulated file or web page. EXISTENCE OF EXPLOIT No publicly known exploits specifically target this vulnerability. DIFFICULTY An attacker with moderate skill level could exploit the vulnerabilities. MITIGATION Siemens has released a patch to its customers to address these vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should deploy the Siemens patch available at: http://www.usdata.com/sea/factorylink/en/p_nav5.asp For more information, please see Siemens Security Advisory announcement available at: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/Siemens_Security_Advisory_SSA-850510.pdf. In addition to the patch released by Siemens, Microsoft has released a kill bit to address the ActiveX vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should install the Microsoft update referenced in the Microsoft Security Advisory 2562937: http://technet.microsoft.com/en-us/security/advisory/2562937. ICS-CERT encourages asset owners to take the following additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [f] Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click web links or open unsolicited attachments in e-mail messages. 2. Refer to Recognizing and Avoiding Email Scams. [g] 3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on avoiding e-mail scams ICS-CERT CONTACT for more information on social engineering attacks. [h] For any questions related to this report, please contact ICS-CERT at: E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org a. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055; http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4056, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. b. Important Information for Siemens FactoryLink Customers. (July 2007) Retrieved November 21, 2011, from FactoryLink Supervisory Control and Data Acquisition: Siemens PLM Software: http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml, website last accessed January 04, 2012. c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. d. http://nvd.nist.gov/cvss.cfm, website last accessed January 04, 2012. e. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4056, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. f. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed January 04, 2012. g. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, website last accessed January 04, 2012. h. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed January 04, 2012. DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTwqD3u4yVqjM2NGpAQJNJA//cWktjnz8aTqUJixW0zsKjXXjmqcAo5l6 P7vaktuWJHmuHOItZ9ChxB4BqBrv20kJQcXI0ygwisSUr98/JwL5kNmId6LWy8ef NC0GaP4MyHf3bTC8bEaMV6aLS/WmCbgEFXMMexEX71+xtsMBwRWqlitqfv7NtZz0 mxsn7kgr8eHfUL26Tpr3N4aN+J2+2b3SIgEHh++WWTQR/tf2Ep8zq9iDRAARjulq RYCOMghNHUaH1dENOgx3QE0Rdq458StMJQZStJ6vmPiDaTduTbmU5vK9M4zM1q9B kppz7XcMgM+ujbY0TMvwlTIt+GkLRM97AtqLZjgcxpYy6DoBxw+zg1j7pbYhB8IA n9HFyXg0FlCreMtStmXStK3Rc+vVT0H3755pQP84pt9Z5vfZ8ELOUNZorXkM5CH7 /zMfOLUUsbYk9mkLtg+NL//aiEMI+Ny32vbey3G/sc5tk5ts2Vw1rS31Tnjpo0TT U7DeKE7EzqvDyXGxYnZzqfOiX5L9k1USg3Di6vuSkgeSwomxlt/FE3i3o9v+oh6A ouvCITE6rfp8W5Rs8YDVQtOBfP4wJ+r7Quj/LAqxmKRUMYdjCXb1uGhJHaEZc6RR iXJeYy8Df6u41MNnstOQKsCZekfAbn6WSUl3dRIha/0PcV5pspSoraJI6EHzO/gJ gPkgoAWzZ0o= =S6I7 -----END PGP SIGNATURE-----