-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ICSA-12-348-01 - SIEMENS PROCESSSUITE AND INVENSYS INTOUCH
POORLY ENCRYPTED PASSWORD FILE
20 December 2012
AusCERT Security Bulletin Summary
Product: Siemens ProcessSuite
Invensys Wonderware InTouch
Operating System: Windows
Impact/Access: Increased Privileges -- Existing Account
Access Privileged Data -- Existing Account
CVE Names: CVE-2012-4693
- --------------------------BEGIN INCLUDED TEXT--------------------
ICSA-12-348-01 - SIEMENS PROCESSSUITE AND INVENSYS INTOUCH POORLY ENCRYPTED
December 13, 2012
This advisory provides mitigation details for a vulnerability that impacts
Siemens ProcessSuite (a) and Invensys Wonderware InTouch products. Researcher
Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin
have identified an insecure password storage vulnerability in both Siemens
ProcessSuite and Invensys Wonderware InTouch applications. Siemens states that
ProcessSuite is outdated and cannot be updated to match current security
requirements; Siemens recommends upgrading to a more recent human-machine
interface (HMI). Invensys recommends using Windows integrated security rather
than the InTouch security subsystem but has created a new patch to mitigate
this vulnerability. Successful exploitation of this vulnerability can allow an
attacker to log in to the system as a privileged user and take over the
The following Siemens ProcessSuite versions are affected:
* All versions of ProcessSuite.
Please note that according to Siemens, ProcessSuite was phased out in 2005 and
completely discontinued in 2010. Customers using SIMATIC PCS7 / APACS+ OS are
The following Invensys Wonderware InTouch versions are affected:
* Wonderware InTouch 2012 R2 and previous.
Wonderware applications that use Windows Integrated security or ArchestrA
security are not affected.
An attacker with read permissions to the password file can decrypt it and
obtain all usernames and passwords, allowing logon as a privileged user and
take over the application.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture,
and product implementation.
ProcessSuite is a part of a Distributed Control System APACS+ from Moore
Products Inc., which was acquired by Siemens in 2000. Siemens ProcessSuite is
based on Wonderware InTouch V7.11 and uses similar authentication mechanisms.
Siemens no longer supports ProcessSuite.
ProcessSuite is deployed across several sectors including manufacturing, oil
and gas, chemical, and others. Siemens estimates that these products are used
primarily in the United States and Canada.
InTouch is an HMI created by Invensys Wonderware used for designing, building,
deploying, and maintaining applications for manufacturing and infrastructure
INSECURE PASSWORD STORAGE (b)
User management information including passwords is stored in a reversible
format in file Ps_security.ini by the affected software. An attacker with read
permissions to this local file can obtain the passwords, log in as a privileged
user, and potentially affect the availability, integrity, and confidentiality
of the system.
CVE-2012-4693 (c) has been assigned to this vulnerability. A CVSS v2 base
score of 4.3 has been assigned; the CVSS vector string is
An attacker would need local access to the password file to be able to exploit
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with a low skill would be able to exploit this vulnerability.
Systems running ProcessSuite are outdated in many aspects and cannot support
the latest recommended security practices. As this software is discontinued,
Siemens strongly recommends upgrading to a more recent HMI for APACS+. (a)
Further information on migration options to PCS 7 / APACS+ OS along with
technical support can be located at the Siemens APACS Web site. (e)
Invensys recommends using Windows integrated security features or migrating
the HMI and OS to versions currently supported and then install their security
update. (f) Please consult with Wonderware Technical Support (g) for help with
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks. for help with the update.
* Minimize network exposure for all control system devices. Critical devices
should not directly face the Internet.
* Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPN is only as secure as the connected
ICS-CERT also provides a section for control systems security recommended
practices on the ICS-CERT Web page. Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies. (h) ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.
Additional mitigation guidance and recommended practices are publicly
available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A -
Targeted Cyber Intrusion Detection and Mitigation Strategies (i), that is
available for download from the ICS-CERT Web page (www.ics-cert.org).
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.
a. Siemens Security Advisory SSA-370812, http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-370812.pdf
b. CWE-326: Inadequate Encryption Strength, http://cwe.mitre.org/data/definitions/326.html
Web site last accessed December 12, 2012.
c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4693, NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:L/Au:S/C:P/I:P/A:P)
Web site last visited December 12, 2012.
e. Siemens APACS Web site, http://www.apacs2020.com . Web site last visited
December 12, 2012.
f. Invensys Cyber Security Updates, http://iom.invensys.com/EN/Pages/CyberSecurityUpdates.aspx
g. Wonderware Technical Support Contacts, http://global.wonderware.com/EN/Pages/WonderwareTechnicalSupportContacts.aspx
h. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
Web site last accessed December 12, 2011.
i. Target Cyber Intrusion Detection and Mitigation Strategies, http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
Web site last accessed December 12, 2012.
For any questions related to this report, please contact ICS-CERT at:
Toll Free: 1-877-776-7585
For industrial control systems security information and incident
ICS-CERT continuously strives to improve its products and services. You can
help by answering a short series of questions about this product at the
following URL: https://forms.us-cert.gov/ncsd-feedback/.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----