Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0486.3 Siemens: Multiple Products:Multiple vulnerabilities 16 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens: Multiple Products Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-7802 CVE-2020-7801 CVE-2020-7800 CVE-2019-20046 CVE-2019-20045 CVE-2019-19282 CVE-2019-19277 CVE-2019-18217 CVE-2019-16879 CVE-2019-13946 CVE-2019-13941 CVE-2019-13940 CVE-2019-13926 CVE-2019-13925 CVE-2019-13924 CVE-2019-12815 CVE-2019-6585 CVE-2018-18065 CVE-2015-5621 Reference: ESB-2016.0323 ESB-2016.0322 ESB-2016.0319 Original Bulletin: https://www.us-cert.gov/ics/advisories/icsa-20-042-01 https://www.us-cert.gov/ics/advisories/icsa-20-042-02 https://www.us-cert.gov/ics/advisories/icsa-20-042-03 https://www.us-cert.gov/ics/advisories/icsa-20-042-04 https://www.us-cert.gov/ics/advisories/icsa-20-042-05 https://www.us-cert.gov/ics/advisories/icsa-20-042-06 https://www.us-cert.gov/ics/advisories/icsa-20-042-07 https://www.us-cert.gov/ics/advisories/icsa-20-042-08 https://www.us-cert.gov/ics/advisories/icsa-20-042-09 https://www.us-cert.gov/ics/advisories/icsa-20-042-10 Revision History: April 16 2020: ICS released update to advisory (ICSA-20-042-05) April 8 2020: Multiple CVEs added to advisory icsa-20-042-01 February 12 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-20-042-01) Synergy Systems & Solutions HUSKY RTU (Update A) Original release date: April 07, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Synergy Systems & Solutions (SSS) o Equipment: HUSKY RTU - --------- Begin Update A Part 1 of 3 --------- o Vulnerabilities : Improper Authentication, Improper Input Validation, Missing Authentication for Critical Function, Improper Check for Unusual or Exceptional Conditions, Exposure of Sensitive Information to an Unauthorized Actor, Incorrect Default Permissions - --------- End Update A Part 1 of 3 --------- 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-20-042-01 Synergy Systems & Solutions HUSKY RTU that was published February 11, 2020, to the ICS webpage on us-cert.gov. 3. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to read sensitive information, execute arbitrary code, or cause a denial-of-service condition. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS The following versions of HUSKY RTU, a remote terminal unit, are affected: o HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior 4.2 VULNERABILITY OVERVIEW 4.2.1 IMPROPER AUTHENTICATION CWE-287 The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. CVE-2019-20046 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.2 IMPROPER INPUT VALIDATION CWE-20 Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device. CVE-2019-20045 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). - --------- Begin Update A Part 2 of 3 --------- 4.2.3 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The affected product does not require authentication for TELNET access, which may allow an attacker to change configuration or perform other malicious activities. CVE-2019-16879 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/ C:L/I:N/A:H ). 4.2.4 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754 The affected product is vulnerable to specially crafted TCP packets, which can cause the device to shut down or reboot and lose configuration settings. CVE-2020-7800 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/ C:L/I:N/A:H ). 4.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 The affected product is vulnerable to information exposure over the SNMP protocol. CVE-2020-7801 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:N ). 4.2.6 INCORRECT DEFAULT PERMISSIONS CWE-276 The affected product is vulnerable to insufficient default permissions, which could allow an attacker to view network configurations through SNMP communication. CVE-2020-7802 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:C/ C:L/I:H/A:N ). - --------- End Update A Part 2 of 3 --------- 4.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems o COUNTRIES/AREAS DEPLOYED: Asia o COMPANY HEADQUARTERS LOCATION: India 4.4 RESEARCHER The VAPT Team, C3i Center, IITK, UP, India, reported to CISA that they had coordinated these vulnerabilities directly with SSS. 5. MITIGATIONS SSS makes the following recommendations to mitigate risk. o Upgrade to firmware Version 5.1.2 or higher. Consult with SSS for possible issues during upgrade, prior to implementing this recommendation. o Implement network segmentation and firewall policies to reduce exposure of the RTU to uncontrolled and unprotected access. o Follow recommended security practices and configure firewalls to help protect an industrial control network from attacks that originate from outside the network. Such practices include ensuring that protection, control, and automation systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and other practices to be evaluated case by case. o Do not allow the use of protection, control, and automation systems for Internet surfing, instant messaging, or receiving e-mails. o Block all nontrusted IP communications. o Configure trusted IP address access (IP whitelisting) in the RTU configuration for IEC-104 protocol to restrict hosts that can access the RTU. o Implement passwords in the RTU to restrict access to the RTU, via Husky Studio. o If possible, set up an SSL tunnel between the RTU and control center to restrict access to the RTU. - --------- Begin Update A Part 3 of 3 --------- For more information, see the associatedSSS security bulletin . - --------- End Update A Part 3 of 3 --------- CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------ ICS Advisory (ICSA-20-042-02) Siemens Industrial Products SNMP Vulnerabilities Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: Various SCALANCE, SIMATIC, SIPLUS products o Vulnerabilities: Data Processing Errors, NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote attackers to conduct a denial-of-service attack by sending specially crafted packets to Port 161/UDP (SNMP). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: o IE/PB LINK PN IO (including SIPLUS NET variants): All versions o SCALANCE S602: All versions o SCALANCE S612: All versions o SCALANCE S623: All versions o SCALANCE S627-2M: All versions o SIMATIC CP 1623: All versions prior to Version 14.00.15.00_51.25.00.01 o SIMATIC CP 1626: All versions o SIMATIC CP 1628: All versions prior to Version 14.00.15.00_51.25.00.01 o SIMATIC CP 343-1 Advanced (including SIPLUS NET variants): All versions o SIMATIC CP 443-1 (including SIPLUS NET variants): All versions o SIMATIC CP 443-1 Advanced (including SIPLUS NET variants): All versions o SIMATIC CP 443-1 OPC UA: All versions o TIM 1531 IRC (including SIPLUS NET variants): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 DATA PROCESSING ERRORS CWE-19 An error in the message handling of SNMP messages allows remote attackers to cause a denial-of-service condition and execute arbitrary code via a crafted packet sent on Port 161/UDP (SNMP). CVE-2015-5621 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.2 NULL POINTER DEREFERENCE CWE-476 A NULL pointer exception bug within the SMNP handling code allows authenticated attacker to remotely cause a denial-of-service condition via a crafted packet sent on Port 161/UDP (SNMP). CVE-2018-18065 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Artem Zinenko of Kaspersky Lab reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens has released updates for several affected products and recommends users update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available. o For SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M products, migrate to SCALANCE SC-600 Industrial Security Appliances. o For SIMATIC CP 1623 and SIMATIC CP 1628, update to SIMATIC NET PC Software Version 16 o For TIM 1531 IRC or SIPLUS NET variants, update to Version 2.0 Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Disable SNMP if this is supported by the product (refer to the product documentation). Disabling SNMP fully mitigates these vulnerabilities. o Protect network access to Port 161/UDP of affected devices. o Apply cell protection concept and implement defense-in-depth . o Use VPN for protecting network communication between cells. As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security , and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity . For more information on the vulnerabilities and detailed mitigation instructions, please see Siemens security advisory SSA-978220 CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------ ICS Advisory (ICSA-20-042-03) Siemens SIMATIC CP 1543-1 Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SIMATIC CP 1543-1 o Vulnerabilities: Improper Access Control, Loop with Unreachable Exit Condition 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow for remote code execution and information disclosure without authentication, or unauthenticated denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens SIMATIC CP 1543-1, including SIPLUS NET variants, are affected: o All versions starting at 2.0 and prior to 2.2 3.2 VULNERABILITY OVERVIEW 3.2.1 I MPROPER ACCESS CONTROL CWE-284 An arbitrary file copy vulnerability in mod_copy of the embedded FTP server allows for remote code execution and information disclosure without authentication. CVE-2019-12815 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 LOOP WITH UNREACHABLE EXIT CONDITION CWE-835 Incorrect handling of overly long commands in the embedded FTP server allow an attacker to cause a denial-of-service condition by entering an infinite loop. CVE-2019-18217 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS The latest update for SIMATIC CP 1543-1 contains fixes for the vulnerabilities within its embedded ProFTPD FPT server. Siemens recommends updating SIMATIC CP 1543-1 modules to Version 2.2 Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Disable the embedded FTP server. The server is deactivated in the default configuration. o Limit access to Port 21/TCP to trusted IP addresses. As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security , and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity . For more information on the vulnerabilities and detailed mitigation instructions, please see Siemens security advisory SSA-940889 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------------------------------------------------------------- ICS Advisory (ICSA-20-042-04) Siemens PROFINET-IO Stack Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: Siemens PROFINET-IO Stack o Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Products that include the Siemens PROFINET-IO (PNIO) stack in versions prior to v06.00 are affected. Additionally, Siemens recommends other vendors of PROFINET devices check their products for vulnerable versions of the Siemens PNIO stack as part of the Siemens Development/Evaluation Kits. o Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller: all versions EK-ERTEC 200: all versions prior to 4.5 EK-ERTEC 200P: all versions prior to 4.6 o PROFINET Driver for Controller: all version prior to 2.1 o RUGGEDCOM RM1224: all versions prior to 4.3 o SCALANCE M-800 / S615: all versions prior to 4.3 o SCALANCE W700 IEEE 802.11n: all versions prior to 6.0.1 o SCALANCE X-200 switch family (incl. SIPLUS NET variants): all versions o SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): all versions prior to 5.3 o SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): all versions o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: all versions prior to 3.0 o SCALANCE XM-400 switch family: all versions prior to 6.0 o SCALANCE XR-500 switch family: all versions prior to 6.0 o SIMATIC CP 1616 and CP 1604: all versions prior to 2.8 o SIMATIC CP 343-1 (incl. SIPLUS NET variants): all versions o SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variants): all versions o SIMATIC CP 343-1 ERPC: all versions o SIMATIC CP 343-1 LEAN (incl. SIPLUS NET variants): all versions o SIMATIC CP 443-1 (incl. SIPLUS NET variants): all versions o SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variants): all versions o SIMATIC CP 443-1 OPC UA: all versions o SIMATIC ET200AL IM 157-1 PN: all versions o SIMATIC ET200M IM153-4 PN IO HF (incl. SIPLUS variants): all versions o SIMATIC ET200M IM153-4 PN IO ST (incl. SIPLUS variants): all versions o SIMATIC ET200MP IM155-5 PN HF (incl. SIPLUS variants): all versions prior to 4.2.0 o SIMATIC ET200MP IM155-5 PN ST (incl. SIPLUS variants): all versions prior to 4.1.0 o SIMATIC ET200S (incl. SIPLUS variants): all versions o SIMATIC ET200SP IM155-6 PN Basic (incl. SIPLUS variants): all versions o SIMATIC ET200SP IM155-6 PN HF (incl. SIPLUS variants): all versions prior to 3.3.1 o SIMATIC ET200SP IM155-6 PN ST (incl. SIPLUS variants): all versions prior to 4.1.0 o SIMATIC ET200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0): all versions o SIMATIC ET200pro, IM 154-3 PN HF: all versions o SIMATIC ET200pro, IM 154-4 PN HF: all versions o SIMATIC IPC Support, Package for VxWorks: all versions o SIMATIC MV400 family: all versions o SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. SIPLUS NET variant): all versions o SIMATIC RF180C: all versions o SIMATIC RF182C: all versions o SIMATIC RF600 family: all versions prior to 3 o SINAMICS DCP: all versions prior to 1.3 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 Profinet-IO (PNIO) stack versions prior v06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. This could lead to a denial-of-service condition due to lack of memory for devices that include a vulnerable version of the stack. CVE-2019-13946 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Yuval Ardon and Matan Dobrushin of OTORIO reported this vulnerability to CISA and Siemens. 4. MITIGATIONS Siemens has released updates for several affected products and recommends users update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available. o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200: Update to v4.5 Patch 01 o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P: Update to v4.6 o PROFINET Driver for Controller: Update to v2.1 Patch 03 o SCALANCE M-800 / S615: Update to v6.1.2 o SCALANCE W700 IEEE 802.11n: Update to v6.4 o SCALANCE X-200IRT switch family: Update to v5.4.2 o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: Update to v4.1 o SCALANCE XM-400 switch family: Update to v6.2.3 o SCALANCE XR-500 switch family: Update to v6.2.3 o SIMATIC CP 1616 and CP 1604: Update to v2.8.1 o SIMATIC ET200MP IM155-5 PN HF: Update to v4.2.0 o SIMATIC ET200MP IM155-5 PN ST: Update to v4.1.0 o SIMATIC ET200SP IM155-6 PN HF: Update to v4.2.2 o SIMATIC ET200SP IM155-6 PN ST: pdate to v4.1.0 o SIMATIC RF600 family: Update to v3.2.1 o SINAMICS DCP: Update to v1.3 Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o If possible, disable PROFINET o SCALANCE M-800 / S615 and RUGGEDCOM RM1224: Create a firewall rule that blocks the PROFINET Context Manager port (34964/UDP). As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security , and follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information on the vulnerability and more detailed mitigation instructions, please see Siemens security advisory SSA-780073 For more information on this vulnerability see also ICS Advisory ICSA-19-353-01 Moxa EDS Ethernet Switches . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------- ICS Advisory (ICSA-20-042-05) Siemens SIMATIC S7 (Update B) Original release date: April 14, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SIMATIC S7 o Vulnerability: Uncontrolled Resource Consumption (Resource Exhaustion) 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-20-042-05 Siemens SIMATIC S7 (Update A) that was published March 10, 2020, to the ICS webpage on us-cert.gov. 3. RISK EVALUATION Successful exploitation of this vulnerability could allow remote attackers to perform a denial-of-service attack by sending a specially crafted HTTP request to the web server of an affected device. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS The following versions of SIMATIC S7 devices are affected: o SIMATIC S7-1200 CPU family (incl. SIPLUS variants) all versions prior to v4.1 o SIMATIC S7-300 PN/DP CPU family (incl. related ET200 CPUs and SIPLUS variants) all versions prior to V3.x.17 o SIMATIC S7-400 PN/DP v6 and below CPU family (incl. SIPLUS variants) all versions o SIMATIC S7-400 PN/DP v7 CPU family (incl. SIPLUS variants) all versions - --------- Begin Update B Part 1 of 1 --------- o SIMATIC WinAC (F) 2010 all versions - --------- End Update B Part 1 of 1 --------- 4.2 VULNERABILITY OVERVIEW 4.2.1 UNCONTROLLED RESOURCE CONSUMPTION ('RESOURCE EXHAUSTION') CWE-400 Affected devices contain a vulnerability that could cause a denial-of-service condition of the web server by sending specially crafted HTTP requests to Ports 80/TCP and 443/TCP. CVE-2019-13940 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:L ). 4.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 4.4 RESEARCHER China Industrial Control Systems Cyber Emergency Response Team (CIC) reported this vulnerability to Siemens. 5. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Restrict access to the device to the internal or VPN network. Further, if possible, restrict access to the web server (80/TCP, 443/TCP) to trusted IP addresses. o If possible, disable the integrated web server. The web server is disabled in the default settings and its use is optional. o For SIMATIC S7-1200 CPU family (including SIPLUS variants) Siemens recommends affected users update to v4.1 or any later version. o For SIMATIC S7-300 PN/DP CPU family (including related ET200 CPUs and SIPLUS variants), Siemens recommends affected users update to v3.X.17 or later version. For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-431678 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - -------------------------------------------------------------------------------- ICS Advisory (ICSA-20-042-06) Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC o Vulnerability: Incorrect Calculation of Buffer Size 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with network access to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SIMATIC software are affected: o OpenPCS 7 v8.1 all versions o OpenPCS 7 v8.2 all versions o OpenPCS 7 v9.0 all versions o SIMATIC BATCH v8.1 all versions o SIMATIC BATCH v8.2 all versions o SIMATIC BATCH v9.0 all versions o SIMATIC NET PC Software all versions o SIMATIC PCS 7 v8.1 all versions o SIMATIC PCS 7 v8.2 all versions o SIMATIC PCS 7 v9.0 all versions o SIMATIC Route Control v8.1 all versions o SIMATIC Route Control v8.2 all versions o SIMATIC Route Control v9.0 all versions o SIMATIC WinCC (TIA Portal) v13 all versions prior to v13 SP2 o SIMATIC WinCC (TIA Portal) v14.0.1 all versions o SIMATIC WinCC (TIA Portal) v15.1 all versions o SIMATIC WinCC (TIA Portal) v16 all versions o SIMATIC WinCC v7.3 all versions o SIMATIC WinCC v7.4 all versions o SIMATIC WinCC v7.5 all versions prior to v7.5.1 Upd1 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT CALCULATION OF BUFFER SIZE CWE-131 Through specially crafted messages, when encrypted communication is enabled, an attacker with network access could compromise the availability of the system by causing a denial-of-service condition. CVE-2019-19282 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Nicholas Miles from Tenable reported this vulnerability to Siemens. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations: o Apply cell protection concept o Use VPN for protecting network communication between cells o Apply Defense-in-Depth For SIMATIC WinCC (TIA Portal) v13, Siemens recommends affected users update to v13 SP2 or higher . For SIMATIC WinCC v7.5, Siemens recommends affected users update to v7.5.1 Upd1 or higher . For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-270778 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------------------------------------------------------------- ICS Advisory (ICSA-20-042-07) Siemens SCALANCE X Switches Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 4.2 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SCALANCE X switches o Vulnerability: Protection Mechanism Failure 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform administrative actions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SCALANCE X Switches, used to connect industrial components, are affected: o SCALANCE X-200 switch family (including SIPLUS NET variants): All versions prior to Version 5.2.4 o SCALANCE X-200IRT switch family (including SIPLUS NET variants): All versions o SCALANCE X-300 switch family (including X408 and SIPLUS NET variants): All versions prior to Version 4.1.3 3.2 VULNERABILITY OVERVIEW 3.2.1 PROTECTION MECHANISM FAILURE CWE-693 The device does not send the X-Frame-Option header in the administrative web interface, which makes it vulnerable to click-jacking attacks. CVE-2019-13924 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/ C:N/I:L/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o C OUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has released updates, which are recommended to be applied when possible: o SCALANCE X-200 switch family (including SIPLUS NET variants): Version 5.2.4 o SCALANCE X-300 switch family (including X408 and SIRPLUS NET variants): Version 4.1.3 Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Only access links from trusted sources in the browser you use to configure the SCALANCE X switches. As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens' operational guidelines for Industrial Security , and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information see Siemens security advisory SSA-951513 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------ ICS Advisory (ICSA-20-042-08) Siemens SIPORT MP Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: SIPORT MP o Vulnerability: Insufficient logging 2. RISK EVALUATION Successful exploitation of this vulnerability could allow the attacker to create special accounts with administrative privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS o SIPORT MP: All versions prior to 3.1.4 are affected 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT LOGGING CWE-778 Vulnerable versions of the device allow the creation of special accounts (service users) with administrative privileges that could enable a remote authenticated attacker to perform actions that are not visible to other users of the system, such as granting persons access to a secured area. CVE-2019-19277 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/ I:H/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government Facilities o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens recommends users to update to Version 3.1.4 (login required). Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o For SIPORT MP Versions 3.0.x, apply the latest hotfix for Version 3.0.3 o For SIPORT MP Versions 2.2 and later, apply the SIPORT_CleanUsers tool . As a general security measure Siemens strongly recommends users protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information see the Siemens security advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------ ICS Advisory (ICSA-20-042-09) Siemens OZW Web Server Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Siemens o Equipment: OZW web server o Vulnerability: Information disclosure 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthenticated users to access project files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of OZW web server are affected: o OZW672 and OZW772: All versions prior to 10.0 3.2 VULNERABILITY OVERVIEW 3.2.1 INFORMATION DISCLOSURE CWE-552 Vulnerable versions of OZW web server use predictable path names for project files that legitimately authenticated users have created by using the application's export function. By accessing a specific uniform resource locator on the web server, a remote attacker could be able to download a project file without prior authentication. CVE-2019-13941 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS : Commercial Facilities, Government Facilities o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Maxim Rupp reported this vulnerability to Siemens. 4. MITIGATIONS Siemens recommends users to update OZW672 and OZW772 to version 10.0 Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Configure the product according to the OZW hardening guidelines . o Restrict access to the device to the internal or VPN network. Further, if possible, restrict access to the OZW Web Server to trusted IP addresses. As a general security measure Siemens strongly recommends users protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment. For more information refer to SSA-986695 . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ---------------------------------------------------------------------------- ICS Advisory (ICSA-20-042-10) Siemens SCALANCE S-600 Original release date: February 11, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable remotely o Vendor: Siemens o Equipment: SCALANCE S-600 Firewall o Vulnerabilities: Resource Exhaustion, Cross-site Scripting 2. RISK EVALUATION These vulnerabilities could allow a remote attacker to conduct denial-of-service or cross-site scripting attacks. User interaction is required for a successful exploitation of the cross-site-scripting attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SCALANCE S-600, are affected: o SCALANCE S602, all versions v3.0 or higher o SCALANCE S612, all versions v3.0 or higher o SCALANCE S623, all versions v3.0 or higher o SCALANCE S627-2M, all versions v3.0 or higher 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE SCRIPTING CWE-80 The integrated configuration web server of the affected devices could allow cross-site scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. CVE-2019-6585 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:L/I:L/A:N ). 3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 Specially crafted packets sent to Port 443/TCP of affected devices could cause a denial-of-service condition of the web server. CVE-2019-13925 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 Specially crafted packets sent to Port 443/TCP of affected devices could cause a denial-of-service condition of the web server. A cold reboot is required to restore the functionality of the device. CVE-2019-13926 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Information Technology o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Melih Berk Eksioglu reported some of these vulnerabilities to Siemens. 4. MITIGATIONS For SCALANCE S602 v3.0, Siemens recommends only accessing links from trusted sources in the browser you use to access the SCALANCE S administration website. For SCALANCE S612, all versions v3.0 or higher, SCALANCE S623, all versions v3.0 or higher, and SCALANCE S627-2M, all versions v3.0 or higher, Siemens recommends migrating to SCALANCE SC-600 Industrial Security Appliances. For more information on these vulnerabilities and associated software updates, please see Siemens security advisory SSA-591405 CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should take the following measures to protect themselves from social engineering attacks: o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXpf3SWaOgq3Tt24GAQhR0A/9EyhCJrfMSsI8SdlsbIqf3Qw9Ch6sefEy 9oTZDl1mtFIic6VYSKyKJmHr5+t7rOxZieqiJCgRQ0pXEOvSclj1u8NuM5kttN5T UPjz73dTVQduijpzg+VdWQabetohhrLyy/92BHwqywhfkO5kf+1q1JQugqnWtYXE Vc1OslHC6UXHX5kcFngU0EVsqXSSQQx1rWRmVGUsz0QuIOtEfE/tz10Cxs8YyMdq QfV1GfxyzXkmLrUCnIp96FOSakf57rc9fIqCEjohJQiM73HQ5oQ4b9qu6fB8w3oj qk+lGqbA17TSimo5avt042hMxIMTEc7rasuC5r45WAQzBpOhvs6Fox7lC81qvddC Cwp3yrQ1XdST0Kn40+xQI4sryeZjZ+kNaV5xeRjqoYNc1piW3Nm27jjCk5g6xN/+ 3N1nnxUoomcNIeqgmfiL5NtWhjElANwKDJiEOpavv56E8mw1LeXhkb0Zi4Ee7nd1 PPpIjRSoEIsu/gYCVm4C+0uIUWwGEQwz81oy4UJoBveghetHoWxsnoOc1D0BvJfN WZwzkWAZxWVWWGY1LEbrvbp01UEMuoce1CuYvZrZZxXJ9D2aTeJp1Gqja/GCVrDi BzcqpMT0o/zsmJsFGc3t0AnwsyncZwNsHJ7HO1v6EPzYyptKaE00muuZX8zm1fhJ 0HCwqqtYiHc= =SksT -----END PGP SIGNATURE-----