Siemens ProcessSuite and Invensys Wonderware InTouch: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.1209
        ICSA-12-348-01 - SIEMENS PROCESSSUITE AND INVENSYS INTOUCH
                      POORLY ENCRYPTED PASSWORD FILE
                             20 December 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Siemens ProcessSuite
                   Invensys Wonderware InTouch
Publisher:         US-CERT
Operating System:  Windows
Impact/Access:     Increased Privileges   -- Existing Account
                   Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-4693  

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-12-348-01.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT ADVISORY
ICSA-12-348-01 - SIEMENS PROCESSSUITE AND INVENSYS INTOUCH POORLY ENCRYPTED 
PASSWORD FILE
December 13, 2012

OVERVIEW

This advisory provides mitigation details for a vulnerability that impacts 
Siemens ProcessSuite (a) and Invensys Wonderware InTouch products. Researcher 
Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin 
have identified an insecure password storage vulnerability in both Siemens 
ProcessSuite and Invensys Wonderware InTouch applications. Siemens states that 
ProcessSuite is outdated and cannot be updated to match current security 
requirements; Siemens recommends upgrading to a more recent human-machine 
interface (HMI). Invensys recommends using Windows integrated security rather 
than the InTouch security subsystem but has created a new patch to mitigate 
this vulnerability. Successful exploitation of this vulnerability can allow an 
attacker to log in to the system as a privileged user and take over the
application.

AFFECTED PRODUCTS

The following Siemens ProcessSuite versions are affected:
* All versions of ProcessSuite.

Please note that according to Siemens, ProcessSuite was phased out in 2005 and 
completely discontinued in 2010. Customers using SIMATIC PCS7 / APACS+ OS are 
not affected.

The following Invensys Wonderware InTouch versions are affected:
* Wonderware InTouch 2012 R2 and previous.

Wonderware applications that use Windows Integrated security or ArchestrA 
security are not affected.

IMPACT

An attacker with read permissions to the password file can decrypt it and 
obtain all usernames and passwords, allowing logon as a privileged user and 
take over the application.

Impact to individual organizations depends on many factors that are unique to 
each organization. ICS-CERT recommends that organizations evaluate the impact 
of this vulnerability based on their operational environment, architecture,
and product implementation.

BACKGROUND

ProcessSuite is a part of a Distributed Control System APACS+ from Moore 
Products Inc., which was acquired by Siemens in 2000. Siemens ProcessSuite is
based on Wonderware InTouch V7.11 and uses similar authentication mechanisms.
Siemens no longer supports ProcessSuite.

ProcessSuite is deployed across several sectors including manufacturing, oil 
and gas, chemical, and others. Siemens estimates that these products are used 
primarily in the United States and Canada.

InTouch is an HMI created by Invensys Wonderware used for designing, building, 
deploying, and maintaining applications for manufacturing and infrastructure
operations.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INSECURE PASSWORD STORAGE (b)

User management information including passwords is stored in a reversible 
format in file Ps_security.ini by the affected software. An attacker with read 
permissions to this local file can obtain the passwords, log in as a privileged 
user, and potentially affect the availability, integrity, and confidentiality 
of the system.

CVE-2012-4693 (c) has been assigned to this vulnerability. A CVSS v2 base 
score of 4.3 has been assigned; the CVSS vector string is 
(AV:L/AC:L/Au:S/C:P/I:P/A:P).(d)

VULNERABILITY DETAILS

EXPLOITABILITY

An attacker would need local access to the password file to be able to exploit 
this vulnerability.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

Systems running ProcessSuite are outdated in many aspects and cannot support 
the latest recommended security practices. As this software is discontinued, 
Siemens strongly recommends upgrading to a more recent HMI for APACS+. (a) 
Further information on migration options to PCS 7 / APACS+ OS along with 
technical support can be located at the Siemens APACS Web site. (e)

Invensys recommends using Windows integrated security features or migrating 
the HMI and OS to versions currently supported and then install their security 
update. (f) Please consult with Wonderware Technical Support (g) for help with
the update.

ICS-CERT encourages asset owners to take additional defensive measures to 
protect against this and other cybersecurity risks. for help with the update.

* Minimize network exposure for all control system devices. Critical devices 
  should not directly face the Internet.
* Locate control system networks and remote devices behind firewalls, and 
  isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual Private 
  Networks (VPNs), recognizing that VPN is only as secure as the connected 
  devices.

ICS-CERT also provides a section for control systems security recommended 
practices on the ICS-CERT Web page. Several recommended practices are 
available for reading and download, including Improving Industrial Control 
Systems Cybersecurity with Defense-in-Depth Strategies. (h) ICS-CERT reminds 
organizations to perform proper impact analysis and risk assessment prior to 
taking defensive measures.

Additional mitigation guidance and recommended practices are publicly 
available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A - 
Targeted Cyber Intrusion Detection and Mitigation Strategies (i), that is 
available for download from the ICS-CERT Web page (www.ics-cert.org).

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.

a. Siemens Security Advisory SSA-370812, http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-370812.pdf
b. CWE-326: Inadequate Encryption Strength, http://cwe.mitre.org/data/definitions/326.html
Web site last accessed December 12, 2012.
c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4693, NIST 
uses this advisory to create the CVE Web site report. This Web site will be 
active sometime after publication of this advisory.
d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:L/Au:S/C:P/I:P/A:P)
Web site last visited December 12, 2012.
e. Siemens APACS Web site, http://www.apacs2020.com . Web site last visited 
December 12, 2012.
f. Invensys Cyber Security Updates, http://iom.invensys.com/EN/Pages/CyberSecurityUpdates.aspx
g. Wonderware Technical Support Contacts, http://global.wonderware.com/EN/Pages/WonderwareTechnicalSupportContacts.aspx
h. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
Web site last accessed December 12, 2011.
i. Target Cyber Intrusion Detection and Mitigation Strategies, http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
Web site last accessed December 12, 2012.

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov 
Toll Free: 1-877-776-7585

For industrial control systems security information and incident 
reporting: www.ics-cert.org

ICS-CERT continuously strives to improve its products and services. You can 
help by answering a short series of questions about this product at the 
following URL: https://forms.us-cert.gov/ncsd-feedback/.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUNKGHe4yVqjM2NGpAQINtw//aSnBftYKZ9nTXE+aNlZDVJbhzjMvOJUm
ZRB4FsyI199X5rujRVvrkYhHU7KZfUb53Hohox/grytOylDMIGSqvg/2giTEdqmP
tmpdnu0NHIBaMq75GPZ2zPpNzdY6hvCjSHLTTk7QDnq5cgB2wREDuK1dGazj7uLv
yr8GJS795ERCw20WjcX+iaDMkXePryCOAx0vV4aeJnqoQDpR2AeqBGwnms/JmzBS
dLM8HruIbc1Q+JkAm4vaKCxMw20mHj+WBWQw1jvh8UpIBhxB9gsW2/1I/bZGBfYT
h31V3yyy7RWDex/do2IGiv7581g+iJyddfTY/xGCFtuqF1nuHwPtRTRbwAcrgQIw
z/wwRROMU+lLs9GM04geu/RLvD4bEYLaKbq4W1f/bVUngeiM0p2I4e5sAJ8ZjsVo
W87yL5zsLEDkphspKNpZtZILfgpshMV209HzygKmZ+pAQ0V4wFxFxUFbjd8e2iAY
FVQ+zGRjlh7TCvc9jyAbx8Kqchq6tbElBPNGaKI0X0MT6uPfPWNN38iAJXAhUsBh
KRtR890j9Uaiddc9PHz9zcEMnxF4bIix7ngec0Qp9N+QY4GdK7zSDrnInVKU0+zr
KElqBINXgh1LAfpuBAWiY2dxqpND0vw75wJh+TmOsJwc9EHpYe1RPHnEQshbaBQy
Feag+P4PdeI=
=yvbb
-----END PGP SIGNATURE-----