Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0034
Siemens FactoryLink Multiple ActiveX Vulnerabilities
9 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens FactoryLink
Publisher: US-CERT
Operating System: Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Overwrite Arbitrary Files -- Remote with User Interaction
Create Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4056 CVE-2011-4055
Original Bulletin:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-343-01.pdf
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS-CERT Advisory ICSA-11-343-01
ICS-CERT ADVISORY
ICSA-11-343-01 SIEMENS FACTORYLINK MULTIPLE ACTIVEX VULNERABILITIES
January 04, 2012
OVERVIEW
ICS-CERT originally released Advisory ICSA-11-343-01P on the US-CERT secure
portal on December 09, 2011. This web page release was delayed to allow users
time to download and install the update.
Researcher Kuang-Chun Hung of Taiwans Information and Communication Security
Technology Center (ICST) has identified two vulnerabilities affecting ActiveX
components in the Siemens Tecnomatix FactoryLink application. The report
included buffer overflow and data corruption vulnerabilities. [a]
ICS-CERT has coordinated with Siemens; Siemens has released a patch that
addresses the identified vulnerabilities. ICS-CERT has confirmed that the
Siemens patch resolves the reported vulnerabilities.
AFFECTED PRODUCTS
The following Siemens Tecnomatix FactoryLink versions are affected:
V8.0.2.54
V7.5.217 (V7.5 SP2)
V6.6.1 (V6.6 SP1).
IMPACT
Successful exploitation of the reported vulnerabilities could allow an
attacker to perform malicious activities including denial of service and
arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture,
and product implementation.
BACKGROUND
Siemens Tecnomatix FactoryLink software is used for monitoring and controlling
industrial processes.
FactoryLink is used to build applications such as human-machine interface
systems.
FactoryLink is implemented across a variety of industrial processes including
oil and gas, chemicals, food and beverage, and building automation.
Siemens has announced that FactoryLink is now considered a mature product and
will not offer FactoryLink after December 2012. [b]
VULNERABILITY CHARACTERIZATION
BUFFER OVERFLOW VULNERABILITY OVERVIEW
This vulnerability is exploited by inputting a long string to a specific
parameter causing a buffer overflow that could allow the execution of
arbitrary code.
CVE-2011-4055 has been assigned to this vulnerability. [c]
Siemens assessment of the vulnerability using the CVSS Version 2.0 calculator
rates an Overall CVSS Score of 7.7. [d]
VULNERABILITY DETAILS
EXPLOITABILITY
This vulnerability is remotely exploitable. Social engineering is required to
convince the user to go to a manipulated website. This decreases the
likelihood of a successful exploit.
EXISTENCE OF EXPLOIT
No publicly known exploits specifically target this vulnerability.
DIFFICULTY
An attacker with moderate skill level could exploit this vulnerability. Social
engineering is required to convince the user to go to a manipulated website.
This decreases the likelihood of a successful exploit.
DATA CORRUPTION VULNERABILITY OVERVIEW
This vulnerability is exploited by inputting arbitrary data, causing a file
save to any specified location on the target system.
CVE-2011-4056 has been assigned to this vulnerability. [e]
Siemens assessment of the vulnerability using the CVSS Version 2.0 calculator
rates an Overall CVSS Score of 7.7. [d]
VULNERABILITY DETAILS
EXPLOITABILITY
This vulnerability is remotely exploitable. Social engineering may be
required to execute a remote exploit via a manipulated file or web page.
EXISTENCE OF EXPLOIT
No publicly known exploits specifically target this vulnerability.
DIFFICULTY
An attacker with moderate skill level could exploit the vulnerabilities.
MITIGATION
Siemens has released a patch to its customers to address these
vulnerabilities.
Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should
deploy the Siemens patch available at:
http://www.usdata.com/sea/factorylink/en/p_nav5.asp
For more information, please see Siemens Security Advisory announcement
available at:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/Siemens_Security_Advisory_SSA-850510.pdf.
In addition to the patch released by Siemens, Microsoft has released a kill bit
to address the ActiveX vulnerabilities. Customers of vulnerable versions of
Siemens Tecnomatix FactoryLink should install the Microsoft update referenced
in the Microsoft Security Advisory 2562937:
http://technet.microsoft.com/en-us/security/advisory/2562937.
ICS-CERT encourages asset owners to take the following additional defensive
measures to protect against this and other cybersecurity risks.
* Minimize network exposure for all control system devices. Critical
devices should not directly face the Internet.
* Locate control system networks and remote devices behind firewalls,
and isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPN is only as secure as the
connected devices.
The Control Systems Security Program (CSSP) also provides a section for control
system security recommended practices on the CSSP web page. Several recommended
practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [f]
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents. ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks:
1. Do not click web links or open unsolicited attachments in e-mail
messages.
2. Refer to Recognizing and Avoiding Email Scams. [g]
3. Refer to Avoiding Social Engineering and Phishing Attacks for more
information on avoiding e-mail scams ICS-CERT CONTACT for more
information on social engineering attacks. [h]
For any questions related to this report, please contact ICS-CERT at:
E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and
Incident Reporting: www.ics-cert.org
a. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055;
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4056, NIST uses
this advisory to create the CVE website report. This website will be
active sometime after publication of this advisory.
b. Important Information for Siemens FactoryLink Customers. (July 2007)
Retrieved November 21, 2011, from FactoryLink Supervisory Control and Data
Acquisition: Siemens PLM Software:
http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml,
website last accessed January 04, 2012.
c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
d. http://nvd.nist.gov/cvss.cfm, website last accessed January 04, 2012.
e. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4056, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
f. CSSP Recommended Practices,
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
website last accessed January 04, 2012.
g. Recognizing and Avoiding Email Scams,
http://www.us-cert.gov/reading_room/emailscams_0905.pdf,
website last accessed January 04, 2012.
h. National Cyber Alert System Cyber Security Tip ST04-014,
http://www.us-cert.gov/cas/tips/ST04-014.html,
website last accessed January 04, 2012.
DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.
When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter
unless the reporter notifies ICS-CERT that they wish to remain anonymous.
ICS-CERT encourages researchers to coordinate vulnerability details before
public release. The public release of vulnerability details prior to the
development of proper mitigations may put industrial control systems and the
public at avoidable risk.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwqD3u4yVqjM2NGpAQJNJA//cWktjnz8aTqUJixW0zsKjXXjmqcAo5l6
P7vaktuWJHmuHOItZ9ChxB4BqBrv20kJQcXI0ygwisSUr98/JwL5kNmId6LWy8ef
NC0GaP4MyHf3bTC8bEaMV6aLS/WmCbgEFXMMexEX71+xtsMBwRWqlitqfv7NtZz0
mxsn7kgr8eHfUL26Tpr3N4aN+J2+2b3SIgEHh++WWTQR/tf2Ep8zq9iDRAARjulq
RYCOMghNHUaH1dENOgx3QE0Rdq458StMJQZStJ6vmPiDaTduTbmU5vK9M4zM1q9B
kppz7XcMgM+ujbY0TMvwlTIt+GkLRM97AtqLZjgcxpYy6DoBxw+zg1j7pbYhB8IA
n9HFyXg0FlCreMtStmXStK3Rc+vVT0H3755pQP84pt9Z5vfZ8ELOUNZorXkM5CH7
/zMfOLUUsbYk9mkLtg+NL//aiEMI+Ny32vbey3G/sc5tk5ts2Vw1rS31Tnjpo0TT
U7DeKE7EzqvDyXGxYnZzqfOiX5L9k1USg3Di6vuSkgeSwomxlt/FE3i3o9v+oh6A
ouvCITE6rfp8W5Rs8YDVQtOBfP4wJ+r7Quj/LAqxmKRUMYdjCXb1uGhJHaEZc6RR
iXJeYy8Df6u41MNnstOQKsCZekfAbn6WSUl3dRIha/0PcV5pspSoraJI6EHzO/gJ
gPkgoAWzZ0o=
=S6I7
-----END PGP SIGNATURE-----