Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0486.3
Siemens: Multiple Products:Multiple vulnerabilities
16 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens: Multiple Products
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-7802 CVE-2020-7801 CVE-2020-7800
CVE-2019-20046 CVE-2019-20045 CVE-2019-19282
CVE-2019-19277 CVE-2019-18217 CVE-2019-16879
CVE-2019-13946 CVE-2019-13941 CVE-2019-13940
CVE-2019-13926 CVE-2019-13925 CVE-2019-13924
CVE-2019-12815 CVE-2019-6585 CVE-2018-18065
CVE-2015-5621
Reference: ESB-2016.0323
ESB-2016.0322
ESB-2016.0319
Original Bulletin:
https://www.us-cert.gov/ics/advisories/icsa-20-042-01
https://www.us-cert.gov/ics/advisories/icsa-20-042-02
https://www.us-cert.gov/ics/advisories/icsa-20-042-03
https://www.us-cert.gov/ics/advisories/icsa-20-042-04
https://www.us-cert.gov/ics/advisories/icsa-20-042-05
https://www.us-cert.gov/ics/advisories/icsa-20-042-06
https://www.us-cert.gov/ics/advisories/icsa-20-042-07
https://www.us-cert.gov/ics/advisories/icsa-20-042-08
https://www.us-cert.gov/ics/advisories/icsa-20-042-09
https://www.us-cert.gov/ics/advisories/icsa-20-042-10
Revision History: April 16 2020: ICS released update to advisory (ICSA-20-042-05)
April 8 2020: Multiple CVEs added to advisory icsa-20-042-01
February 12 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-20-042-01)
Synergy Systems & Solutions HUSKY RTU (Update A)
Original release date: April 07, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Synergy Systems & Solutions (SSS)
o Equipment: HUSKY RTU
- --------- Begin Update A Part 1 of 3 ---------
o Vulnerabilities : Improper Authentication, Improper Input Validation,
Missing Authentication for Critical Function, Improper Check for Unusual or
Exceptional Conditions, Exposure of Sensitive Information to an
Unauthorized Actor, Incorrect Default Permissions
- --------- End Update A Part 1 of 3 ---------
2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled
ICSA-20-042-01 Synergy Systems & Solutions HUSKY RTU that was published
February 11, 2020, to the ICS webpage on us-cert.gov.
3. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
read sensitive information, execute arbitrary code, or cause a
denial-of-service condition.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
The following versions of HUSKY RTU, a remote terminal unit, are affected:
o HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior
4.2 VULNERABILITY OVERVIEW
4.2.1 IMPROPER AUTHENTICATION CWE-287
The affected product does not require adequate authentication, which may allow
an attacker to read sensitive information or execute arbitrary code.
CVE-2019-20046 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
4.2.2 IMPROPER INPUT VALIDATION CWE-20
Specially crafted malicious packets could cause disconnection of active
authentic connections or reboot of device.
CVE-2019-20045 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
- --------- Begin Update A Part 2 of 3 ---------
4.2.3 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected product does not require authentication for TELNET access, which
may allow an attacker to change configuration or perform other malicious
activities.
CVE-2019-16879 has been assigned to this vulnerability. A CVSS v3 base score of
9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/
C:L/I:N/A:H ).
4.2.4 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754
The affected product is vulnerable to specially crafted TCP packets, which can
cause the device to shut down or reboot and lose configuration settings.
CVE-2020-7800 has been assigned to this vulnerability. A CVSS v3 base score of
9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/
C:L/I:N/A:H ).
4.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The affected product is vulnerable to information exposure over the SNMP
protocol.
CVE-2020-7801 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:N ).
4.2.6 INCORRECT DEFAULT PERMISSIONS CWE-276
The affected product is vulnerable to insufficient default permissions, which
could allow an attacker to view network configurations through SNMP
communication.
CVE-2020-7802 has been assigned to this vulnerability. A CVSS v3 base score of
9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/
C:L/I:H/A:N ).
- --------- End Update A Part 2 of 3 ---------
4.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems
o COUNTRIES/AREAS DEPLOYED: Asia
o COMPANY HEADQUARTERS LOCATION: India
4.4 RESEARCHER
The VAPT Team, C3i Center, IITK, UP, India, reported to CISA that they had
coordinated these vulnerabilities directly with SSS.
5. MITIGATIONS
SSS makes the following recommendations to mitigate risk.
o Upgrade to firmware Version 5.1.2 or higher. Consult with SSS for possible
issues during upgrade, prior to implementing this recommendation.
o Implement network segmentation and firewall policies to reduce exposure of
the RTU to uncontrolled and unprotected access.
o Follow recommended security practices and configure firewalls to help
protect an industrial control network from attacks that originate from
outside the network. Such practices include ensuring that protection,
control, and automation systems are physically protected from direct access
by unauthorized personnel, have no direct connections to the Internet, are
separated from other networks by means of a firewall system that has a
minimal number of ports exposed, and other practices to be evaluated case
by case.
o Do not allow the use of protection, control, and automation systems for
Internet surfing, instant messaging, or receiving e-mails.
o Block all nontrusted IP communications.
o Configure trusted IP address access (IP whitelisting) in the RTU
configuration for IEC-104 protocol to restrict hosts that can access the
RTU.
o Implement passwords in the RTU to restrict access to the RTU, via Husky
Studio.
o If possible, set up an SSL tunnel between the RTU and control center to
restrict access to the RTU.
- --------- Begin Update A Part 3 of 3 ---------
For more information, see the associatedSSS security bulletin .
- --------- End Update A Part 3 of 3 ---------
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-02)
Siemens Industrial Products SNMP Vulnerabilities
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.5
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: Various SCALANCE, SIMATIC, SIPLUS products
o Vulnerabilities: Data Processing Errors, NULL Pointer Dereference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote attackers
to conduct a denial-of-service attack by sending specially crafted packets to
Port 161/UDP (SNMP).
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
o IE/PB LINK PN IO (including SIPLUS NET variants): All versions
o SCALANCE S602: All versions
o SCALANCE S612: All versions
o SCALANCE S623: All versions
o SCALANCE S627-2M: All versions
o SIMATIC CP 1623: All versions prior to Version 14.00.15.00_51.25.00.01
o SIMATIC CP 1626: All versions
o SIMATIC CP 1628: All versions prior to Version 14.00.15.00_51.25.00.01
o SIMATIC CP 343-1 Advanced (including SIPLUS NET variants): All versions
o SIMATIC CP 443-1 (including SIPLUS NET variants): All versions
o SIMATIC CP 443-1 Advanced (including SIPLUS NET variants): All versions
o SIMATIC CP 443-1 OPC UA: All versions
o TIM 1531 IRC (including SIPLUS NET variants): All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 DATA PROCESSING ERRORS CWE-19
An error in the message handling of SNMP messages allows remote attackers to
cause a denial-of-service condition and execute arbitrary code via a crafted
packet sent on Port 161/UDP (SNMP).
CVE-2015-5621 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.2 NULL POINTER DEREFERENCE CWE-476
A NULL pointer exception bug within the SMNP handling code allows authenticated
attacker to remotely cause a denial-of-service condition via a crafted packet
sent on Port 161/UDP (SNMP).
CVE-2018-18065 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
Healthcare and Public Health, Transportation Systems, and Water and
Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Artem Zinenko of Kaspersky Lab reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens has released updates for several affected products and recommends users
update to the new version. Siemens is preparing further updates and recommends
specific countermeasures until patches are available.
o For SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M products, migrate to
SCALANCE SC-600 Industrial Security Appliances.
o For SIMATIC CP 1623 and SIMATIC CP 1628, update to SIMATIC NET PC Software
Version 16
o For TIM 1531 IRC or SIPLUS NET variants, update to Version 2.0
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Disable SNMP if this is supported by the product (refer to the product
documentation). Disabling SNMP fully mitigates these vulnerabilities.
o Protect network access to Port 161/UDP of affected devices.
o Apply cell protection concept and implement defense-in-depth .
o Use VPN for protecting network communication between cells.
As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity .
For more information on the vulnerabilities and detailed mitigation
instructions, please see Siemens security advisory SSA-978220
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-03)
Siemens SIMATIC CP 1543-1
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SIMATIC CP 1543-1
o Vulnerabilities: Improper Access Control, Loop with Unreachable Exit
Condition
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow for remote code
execution and information disclosure without authentication, or unauthenticated
denial of service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens SIMATIC CP 1543-1, including SIPLUS NET
variants, are affected:
o All versions starting at 2.0 and prior to 2.2
3.2 VULNERABILITY OVERVIEW
3.2.1 I MPROPER ACCESS CONTROL CWE-284
An arbitrary file copy vulnerability in mod_copy of the embedded FTP server
allows for remote code execution and information disclosure without
authentication.
CVE-2019-12815 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 LOOP WITH UNREACHABLE EXIT CONDITION CWE-835
Incorrect handling of overly long commands in the embedded FTP server allow an
attacker to cause a denial-of-service condition by entering an infinite loop.
CVE-2019-18217 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
Healthcare and Public Health, Transportation Systems, and Water and
Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
The latest update for SIMATIC CP 1543-1 contains fixes for the vulnerabilities
within its embedded ProFTPD FPT server. Siemens recommends updating SIMATIC CP
1543-1 modules to Version 2.2
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Disable the embedded FTP server. The server is deactivated in the default
configuration.
o Limit access to Port 21/TCP to trusted IP addresses.
As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity .
For more information on the vulnerabilities and detailed mitigation
instructions, please see Siemens security advisory SSA-940889
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ---------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-04)
Siemens PROFINET-IO Stack
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.5
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: Siemens PROFINET-IO Stack
o Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could lead to a denial-of-service
condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Products that include the Siemens PROFINET-IO (PNIO) stack in versions prior to
v06.00 are affected. Additionally, Siemens recommends other vendors of PROFINET
devices check their products for vulnerable versions of the Siemens PNIO stack
as part of the Siemens Development/Evaluation Kits.
o Development/Evaluation Kits for PROFINET IO:
DK Standard Ethernet Controller: all versions
EK-ERTEC 200: all versions prior to 4.5
EK-ERTEC 200P: all versions prior to 4.6
o PROFINET Driver for Controller: all version prior to 2.1
o RUGGEDCOM RM1224: all versions prior to 4.3
o SCALANCE M-800 / S615: all versions prior to 4.3
o SCALANCE W700 IEEE 802.11n: all versions prior to 6.0.1
o SCALANCE X-200 switch family (incl. SIPLUS NET variants): all versions
o SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): all versions
prior to 5.3
o SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): all
versions
o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: all versions prior
to 3.0
o SCALANCE XM-400 switch family: all versions prior to 6.0
o SCALANCE XR-500 switch family: all versions prior to 6.0
o SIMATIC CP 1616 and CP 1604: all versions prior to 2.8
o SIMATIC CP 343-1 (incl. SIPLUS NET variants): all versions
o SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variants): all versions
o SIMATIC CP 343-1 ERPC: all versions
o SIMATIC CP 343-1 LEAN (incl. SIPLUS NET variants): all versions
o SIMATIC CP 443-1 (incl. SIPLUS NET variants): all versions
o SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variants): all versions
o SIMATIC CP 443-1 OPC UA: all versions
o SIMATIC ET200AL IM 157-1 PN: all versions
o SIMATIC ET200M IM153-4 PN IO HF (incl. SIPLUS variants): all versions
o SIMATIC ET200M IM153-4 PN IO ST (incl. SIPLUS variants): all versions
o SIMATIC ET200MP IM155-5 PN HF (incl. SIPLUS variants): all versions prior
to 4.2.0
o SIMATIC ET200MP IM155-5 PN ST (incl. SIPLUS variants): all versions prior
to 4.1.0
o SIMATIC ET200S (incl. SIPLUS variants): all versions
o SIMATIC ET200SP IM155-6 PN Basic (incl. SIPLUS variants): all versions
o SIMATIC ET200SP IM155-6 PN HF (incl. SIPLUS variants): all versions prior
to 3.3.1
o SIMATIC ET200SP IM155-6 PN ST (incl. SIPLUS variants): all versions prior
to 4.1.0
o SIMATIC ET200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0): all
versions
o SIMATIC ET200pro, IM 154-3 PN HF: all versions
o SIMATIC ET200pro, IM 154-4 PN HF: all versions
o SIMATIC IPC Support, Package for VxWorks: all versions
o SIMATIC MV400 family: all versions
o SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. SIPLUS NET variant): all
versions
o SIMATIC RF180C: all versions
o SIMATIC RF182C: all versions
o SIMATIC RF600 family: all versions prior to 3
o SINAMICS DCP: all versions prior to 1.3
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Profinet-IO (PNIO) stack versions prior v06.00 do not properly limit internal
resource allocation when multiple legitimate diagnostic package requests are
sent to the DCE-RPC interface. This could lead to a denial-of-service condition
due to lack of memory for devices that include a vulnerable version of the
stack.
CVE-2019-13946 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Yuval Ardon and Matan Dobrushin of OTORIO reported this vulnerability to CISA
and Siemens.
4. MITIGATIONS
Siemens has released updates for several affected products and recommends users
update to the new version. Siemens is preparing further updates and recommends
specific countermeasures until patches are available.
o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200: Update to v4.5
Patch 01
o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P: Update to v4.6
o PROFINET Driver for Controller: Update to v2.1 Patch 03
o SCALANCE M-800 / S615: Update to v6.1.2
o SCALANCE W700 IEEE 802.11n: Update to v6.4
o SCALANCE X-200IRT switch family: Update to v5.4.2
o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: Update to v4.1
o SCALANCE XM-400 switch family: Update to v6.2.3
o SCALANCE XR-500 switch family: Update to v6.2.3
o SIMATIC CP 1616 and CP 1604: Update to v2.8.1
o SIMATIC ET200MP IM155-5 PN HF: Update to v4.2.0
o SIMATIC ET200MP IM155-5 PN ST: Update to v4.1.0
o SIMATIC ET200SP IM155-6 PN HF: Update to v4.2.2
o SIMATIC ET200SP IM155-6 PN ST: pdate to v4.1.0
o SIMATIC RF600 family: Update to v3.2.1
o SINAMICS DCP: Update to v1.3
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o If possible, disable PROFINET
o SCALANCE M-800 / S615 and RUGGEDCOM RM1224: Create a firewall rule that
blocks the PROFINET Context Manager port (34964/UDP).
As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For more information on the vulnerability and more detailed mitigation
instructions, please see Siemens security advisory SSA-780073
For more information on this vulnerability see also ICS Advisory ICSA-19-353-01
Moxa EDS Ethernet Switches .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- -------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-05)
Siemens SIMATIC S7 (Update B)
Original release date: April 14, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SIMATIC S7
o Vulnerability: Uncontrolled Resource Consumption (Resource Exhaustion)
2. UPDATE INFORMATION
This updated advisory is a follow-up to the advisory update titled
ICSA-20-042-05 Siemens SIMATIC S7 (Update A) that was published March 10, 2020,
to the ICS webpage on us-cert.gov.
3. RISK EVALUATION
Successful exploitation of this vulnerability could allow remote attackers to
perform a denial-of-service attack by sending a specially crafted HTTP request
to the web server of an affected device.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
The following versions of SIMATIC S7 devices are affected:
o SIMATIC S7-1200 CPU family (incl. SIPLUS variants) all versions prior to
v4.1
o SIMATIC S7-300 PN/DP CPU family (incl. related ET200 CPUs and SIPLUS
variants) all versions prior to V3.x.17
o SIMATIC S7-400 PN/DP v6 and below CPU family (incl. SIPLUS variants) all
versions
o SIMATIC S7-400 PN/DP v7 CPU family (incl. SIPLUS variants) all versions
- --------- Begin Update B Part 1 of 1 ---------
o SIMATIC WinAC (F) 2010 all versions
- --------- End Update B Part 1 of 1 ---------
4.2 VULNERABILITY OVERVIEW
4.2.1 UNCONTROLLED RESOURCE CONSUMPTION ('RESOURCE EXHAUSTION') CWE-400
Affected devices contain a vulnerability that could cause a denial-of-service
condition of the web server by sending specially crafted HTTP requests to Ports
80/TCP and 443/TCP.
CVE-2019-13940 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:L ).
4.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
Food and Agriculture, Water and Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
4.4 RESEARCHER
China Industrial Control Systems Cyber Emergency Response Team (CIC) reported
this vulnerability to Siemens.
5. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Restrict access to the device to the internal or VPN network. Further, if
possible, restrict access to the web server (80/TCP, 443/TCP) to trusted IP
addresses.
o If possible, disable the integrated web server. The web server is disabled
in the default settings and its use is optional.
o For SIMATIC S7-1200 CPU family (including SIPLUS variants) Siemens
recommends affected users update to v4.1 or any later version.
o For SIMATIC S7-300 PN/DP CPU family (including related ET200 CPUs and
SIPLUS variants), Siemens recommends affected users update to v3.X.17 or
later version.
For more information on this vulnerability and associated software updates,
please see Siemens security advisory SSA-431678
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-06)
Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.5
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC
o Vulnerability: Incorrect Calculation of Buffer Size
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with
network access to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SIMATIC software are affected:
o OpenPCS 7 v8.1 all versions
o OpenPCS 7 v8.2 all versions
o OpenPCS 7 v9.0 all versions
o SIMATIC BATCH v8.1 all versions
o SIMATIC BATCH v8.2 all versions
o SIMATIC BATCH v9.0 all versions
o SIMATIC NET PC Software all versions
o SIMATIC PCS 7 v8.1 all versions
o SIMATIC PCS 7 v8.2 all versions
o SIMATIC PCS 7 v9.0 all versions
o SIMATIC Route Control v8.1 all versions
o SIMATIC Route Control v8.2 all versions
o SIMATIC Route Control v9.0 all versions
o SIMATIC WinCC (TIA Portal) v13 all versions prior to v13 SP2
o SIMATIC WinCC (TIA Portal) v14.0.1 all versions
o SIMATIC WinCC (TIA Portal) v15.1 all versions
o SIMATIC WinCC (TIA Portal) v16 all versions
o SIMATIC WinCC v7.3 all versions
o SIMATIC WinCC v7.4 all versions
o SIMATIC WinCC v7.5 all versions prior to v7.5.1 Upd1
3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT CALCULATION OF BUFFER SIZE CWE-131
Through specially crafted messages, when encrypted communication is enabled, an
attacker with network access could compromise the availability of the system by
causing a denial-of-service condition.
CVE-2019-19282 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
Food and Agriculture, Water and Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Nicholas Miles from Tenable reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations:
o Apply cell protection concept
o Use VPN for protecting network communication between cells
o Apply Defense-in-Depth
For SIMATIC WinCC (TIA Portal) v13, Siemens recommends affected users update to
v13 SP2 or higher .
For SIMATIC WinCC v7.5, Siemens recommends affected users update to v7.5.1 Upd1
or higher .
For more information on this vulnerability and associated software updates,
please see Siemens security advisory SSA-270778
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ---------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-07)
Siemens SCALANCE X Switches
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 4.2
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SCALANCE X switches
o Vulnerability: Protection Mechanism Failure
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to
perform administrative actions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SCALANCE X Switches, used to connect industrial
components, are affected:
o SCALANCE X-200 switch family (including SIPLUS NET variants): All versions
prior to Version 5.2.4
o SCALANCE X-200IRT switch family (including SIPLUS NET variants): All
versions
o SCALANCE X-300 switch family (including X408 and SIPLUS NET variants): All
versions prior to Version 4.1.3
3.2 VULNERABILITY OVERVIEW
3.2.1 PROTECTION MECHANISM FAILURE CWE-693
The device does not send the X-Frame-Option header in the administrative web
interface, which makes it vulnerable to click-jacking attacks.
CVE-2019-13924 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:N/I:L/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o C OUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released updates, which are recommended to be applied when
possible:
o SCALANCE X-200 switch family (including SIPLUS NET variants): Version 5.2.4
o SCALANCE X-300 switch family (including X408 and SIRPLUS NET variants):
Version 4.1.3
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Only access links from trusted sources in the browser you use to configure
the SCALANCE X switches.
As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For more information see Siemens security advisory SSA-951513
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-08)
Siemens SIPORT MP
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.5
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: SIPORT MP
o Vulnerability: Insufficient logging
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the attacker to
create special accounts with administrative privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
o SIPORT MP: All versions prior to 3.1.4 are affected
3.2 VULNERABILITY OVERVIEW
3.2.1 INSUFFICIENT LOGGING CWE-778
Vulnerable versions of the device allow the creation of special accounts
(service users) with administrative privileges that could enable a remote
authenticated attacker to perform actions that are not visible to other users
of the system, such as granting persons access to a secured area.
CVE-2019-19277 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/
I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government
Facilities
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens recommends users to update to Version 3.1.4 (login required).
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o For SIPORT MP Versions 3.0.x, apply the latest hotfix for Version 3.0.3
o For SIPORT MP Versions 2.2 and later, apply the SIPORT_CleanUsers tool .
As a general security measure Siemens strongly recommends users protect network
access to affected products with appropriate mechanisms. It is advised to
follow recommended security practices in order to run the devices in a
protected IT environment.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For more information see the Siemens security advisory .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-09)
Siemens OZW Web Server
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Siemens
o Equipment: OZW web server
o Vulnerability: Information disclosure
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthenticated users
to access project files.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of OZW web server are affected:
o OZW672 and OZW772: All versions prior to 10.0
3.2 VULNERABILITY OVERVIEW
3.2.1 INFORMATION DISCLOSURE CWE-552
Vulnerable versions of OZW web server use predictable path names for project
files that legitimately authenticated users have created by using the
application's export function. By accessing a specific uniform resource locator
on the web server, a remote attacker could be able to download a project file
without prior authentication.
CVE-2019-13941 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS : Commercial Facilities, Government
Facilities
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Maxim Rupp reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens recommends users to update OZW672 and OZW772 to version 10.0
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Configure the product according to the OZW hardening guidelines .
o Restrict access to the device to the internal or VPN network. Further, if
possible, restrict access to the OZW Web Server to trusted IP addresses.
As a general security measure Siemens strongly recommends users protect network
access to affected products with appropriate mechanisms. It is advised to
follow recommended security practices in order to run the devices in a
protected IT environment.
For more information refer to SSA-986695 .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- ----------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-10)
Siemens SCALANCE S-600
Original release date: February 11, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.5
o ATTENTION: Exploitable remotely
o Vendor: Siemens
o Equipment: SCALANCE S-600 Firewall
o Vulnerabilities: Resource Exhaustion, Cross-site Scripting
2. RISK EVALUATION
These vulnerabilities could allow a remote attacker to conduct
denial-of-service or cross-site scripting attacks. User interaction is required
for a successful exploitation of the cross-site-scripting attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SCALANCE S-600, are affected:
o SCALANCE S602, all versions v3.0 or higher
o SCALANCE S612, all versions v3.0 or higher
o SCALANCE S623, all versions v3.0 or higher
o SCALANCE S627-2M, all versions v3.0 or higher
3.2 VULNERABILITY OVERVIEW
3.2.1 CROSS-SITE SCRIPTING CWE-80
The integrated configuration web server of the affected devices could allow
cross-site scripting (XSS) attacks if unsuspecting users are tricked into
accessing a malicious link.
CVE-2019-6585 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Specially crafted packets sent to Port 443/TCP of affected devices could cause
a denial-of-service condition of the web server.
CVE-2019-13925 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Specially crafted packets sent to Port 443/TCP of affected devices could cause
a denial-of-service condition of the web server. A cold reboot is required to
restore the functionality of the device.
CVE-2019-13926 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Information Technology
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Melih Berk Eksioglu reported some of these vulnerabilities to Siemens.
4. MITIGATIONS
For SCALANCE S602 v3.0, Siemens recommends only accessing links from trusted
sources in the browser you use to access the SCALANCE S administration website.
For SCALANCE S612, all versions v3.0 or higher, SCALANCE S623, all versions
v3.0 or higher, and SCALANCE S627-2M, all versions v3.0 or higher, Siemens
recommends migrating to SCALANCE SC-600 Industrial Security Appliances.
For more information on these vulnerabilities and associated software updates,
please see Siemens security advisory SSA-591405
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should take the
following measures to protect themselves from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXpf3SWaOgq3Tt24GAQhR0A/9EyhCJrfMSsI8SdlsbIqf3Qw9Ch6sefEy
9oTZDl1mtFIic6VYSKyKJmHr5+t7rOxZieqiJCgRQ0pXEOvSclj1u8NuM5kttN5T
UPjz73dTVQduijpzg+VdWQabetohhrLyy/92BHwqywhfkO5kf+1q1JQugqnWtYXE
Vc1OslHC6UXHX5kcFngU0EVsqXSSQQx1rWRmVGUsz0QuIOtEfE/tz10Cxs8YyMdq
QfV1GfxyzXkmLrUCnIp96FOSakf57rc9fIqCEjohJQiM73HQ5oQ4b9qu6fB8w3oj
qk+lGqbA17TSimo5avt042hMxIMTEc7rasuC5r45WAQzBpOhvs6Fox7lC81qvddC
Cwp3yrQ1XdST0Kn40+xQI4sryeZjZ+kNaV5xeRjqoYNc1piW3Nm27jjCk5g6xN/+
3N1nnxUoomcNIeqgmfiL5NtWhjElANwKDJiEOpavv56E8mw1LeXhkb0Zi4Ee7nd1
PPpIjRSoEIsu/gYCVm4C+0uIUWwGEQwz81oy4UJoBveghetHoWxsnoOc1D0BvJfN
WZwzkWAZxWVWWGY1LEbrvbp01UEMuoce1CuYvZrZZxXJ9D2aTeJp1Gqja/GCVrDi
BzcqpMT0o/zsmJsFGc3t0AnwsyncZwNsHJ7HO1v6EPzYyptKaE00muuZX8zm1fhJ
0HCwqqtYiHc=
=SksT
-----END PGP SIGNATURE-----