copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0396 - [Appliance] Scalance S Security Modules: Multiple vulnerabilities

Date: 20 April 2012

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0396
ICSA-12-102-05 Siemens Scalance S Security Modules Multiple Vulnerabilities
                               20 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Scalance S602 V2
                   Scalance S612 V2
                   Scalance S613 V2
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-1800 CVE-2012-1799 

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-12-102-05.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT ADVISORY

ICSA-12-102-05 SIEMENS SCALANCE S SECURITY MODULES MULTIPLE VULNERABILITIES

April 11, 2012

OVERVIEW

ICS-CERT has received a report from Siemens regarding two security 
vulnerabilities in the s firewall. This vulnerability 
was reported to Siemens by Adam Hahn and Manimaran Govindarasu for coordinated 
disclosure.

The first issue is a brute-force credential guessing vulnerability in the web 
configuration interface of the firewall. The second issue is a stack-based 
buffer overflow vulnerability in the Profinet DCP protocol stack.

Siemens has published a patch that resolves both of the identified 
vulnerabilities.

AFFECTED PRODUCTS

The following Scalance S Security Modules are affected:
 Scalance S602 V2
 Scalance S612 V2
 Scalance S613 V2

IMPACT

Successful exploitation of the brute-force vulnerability may allow an attacker 
to perform an arbitrary number of authentication attempts using different 
password and eventually gain access to the targeted account.

Successful exploitation of the stack-based buffer overflow against the Profinet 
DCP protocol may lead to a denial of service (DoS) condition or possible 
arbitrary code execution.

Impact to individual organizations depends on many factors that are unique to 
each organization. ICS-CERT recommends that organizations evaluate the impact 
of these vulnerabilities based on their operational environment, architecture, 
and product implementation.

BACKGROUND

The Scalance S product is a security module that includes a Stateful 
Inspection Firewall for industrial automation network applications. This 
security module is intended to protect automation devices and industrial 
networks against unauthorized access and to secure Ethernet-based 
industrial communication. This Siemens product is intended to protect trusted 
industrial networks from outside facing or untrusted networks. All Scalance S 
Security Modules provide filtering of incoming and outgoing network connections 
with stateful packet inspection.

This product is used predominately in Europe and Asia with a small US 
footprint. The primary sectors deploying Scalance S are Automotive, Defense 
Industrial Base, Energy, Critical Manufacturing, Transportation Systems, 
Chemical, and Water.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

BRUTE-FORCE VULNERABILITY a

The web server in the Scalance S Security Module does not implement sufficient 
measures to prevent rapid multiple authentication attempts within a short 
timeframe, making it susceptible to brute-force attacks by attackers with 
access to the web server. If the administrative password is found, the attacker 
can manipulate the configuration and gain access to the trusted network.

CVE-2012-1799 has been assigned to this vulnerability. A CVSS V2 base 
score of 10.0 has also been assigned. b

STACK-BASED OVERFLOW c

The Scalance S DCP protocol stack crashes when a specially crafted DCP frame 
is received, which may renders the firewall unresponsive and interrupts 
established VPN tunnels. Successful exploitation of this vulnerability may 
lead to a denial of service (DoS) condition or possible arbitrary code 
execution.

CVE-2012-1800 has been assigned to this vulnerability. Siemens has 
assigned a CVSS V2 base score of 6.1. d

VULNERABILITY DETAILS 

EXPLOITABILITY

These vulnerabilities are remotely exploitable.

a. http://cwe.mitre.org/data/definitions/307.html, CWE-307: Improper 
Restriction of Excessive Authentication Attempts, website last accessed 
April 11, 2012
b. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1799, NIST 
uses this advisory to create the CVE website report. This website will be 
active sometime after publication of this advisory.
c. http://cwe.mitre.org/data/definitions/121.html , CWE-1121: Stack-based 
buffer Overflow, website last accessed April 11, 2012
d. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1800, NIST uses 
this advisory to create the CVE website report. This website will be active 
sometime after publication of this advisory.

EXISTENCE OF EXPLOIT

No known exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a moderate skill level would be able to exploit these 
vulnerabilities.

MITIGATION

Siemens has published a patch that resolves both of the identified 
vulnerabilities and strongly recommends installing the updates by using 
the following links:
 The Siemens Security Advisory is available at: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-268149.pdf
 The firmware update is published on the following web site: http://support.automation.siemens.com/WW/view/en/59869684
 Information about industrial security by Siemens: http://www.siemens.com/industrialsecurity
 Recommended security practices by US-CERT: http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
 For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert

ICS-CERT encourages asset owners to take additional defensive measures to 
protect against this and other cybersecurity risks.

 Minimize network exposure for all control system devices. Critical devices 
 should not directly face the Internet.

 Locate control system networks and remote devices behind firewalls, and isolate 
 them from the business network.

 When remote access is required, use secure methods, such as Virtual Private 
 Networks (VPNs), recognizing that VPN is only as secure as the connected
 devices.

The Control Systems Security Program (CSSP) also provides a section for control 
systems security recommended practices on the CSSP web page. Several 
recommended practices are available for reading and download, including 
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth 
Strategies.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents. ICS-CERT reminds 
organizations to perform proper impact analysis and risk assessment prior to 
taking defensive measures.

e. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed April 11, 2012.

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:
E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and 
Incident Reporting: www.ics-cert.org

DOCUMENT FAQ

What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide 
awareness or solicit feedback from critical infrastructure owners and
 operators concerning ongoing cyber events or activity with the potential to 
impact critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for 
vulnerability discovery is always provided to the vulnerability reporter 
unless the reporter notifies ICS-CERT that they wish to remain anonymous. 
ICS-CERT encourages researchers to coordinate vulnerability details before
public release. The public release of vulnerability details prior to the 
development of proper mitigations may put industrial control systems and the
public at avoidable risk.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT5EA4O4yVqjM2NGpAQIZBBAAsy0syf7RwHG0oFrQP+Rp2IART1O8q0qW
b7xyiDjPGCyTOdKFZt1DmuhNXo2m8WWMz3Wzin2NBupwaxVaf3n4jV1jfo45hArr
MTrnmcCus8ANM1lY49SnxCQrY7RG2lx3YuC5gEgDT9uK/H4AgHe6jdStCXIzM62p
kmhwOLcbBkyam+cjhIxKa5uAbiHwNlMJL6fk6mVySpAhgtqe4TEICEX7xHz8Fsnm
pho1YnJKLAMBxmh2OEdZOn0CNyteRjiIr+BgOvK54axdqQe+kwLASIuT6MuW+YJo
UZY4WOjQRxDrH/ZMgZQEFJxi/+BvNTSeKRfyiSD8Knj5HsOAXjZ+VqEZpjgpsqjE
aHRC3K+u+i4TQUxNTvB/eX4nJDL16jzNq0K8MjhPYdoBTKDSb6Ks6j4OIQttFvJ/
uSUZ6TDQMr2JLLGdpS3KWzNQraQcd2pZugGEToqfXb6yLKIYVeNO/4MSxmVGKlt4
Fx9bFctLz2W4ZuaatZhcmxkwJXbxdi5jZhqS/cz9T09MPXSJuFVeM9v23KHcvAho
Cy38VnwpKCDrcXj6ZL8oUwPq7iTqSu5BPqyiCVHU/BKUT/mnk5QS+NvwOpFUwkQF
jeWyXvNKOzpXdAAzf9d8G3Vy6WeQW303i235+KgUxAJ7LyN0vAXbI35Fw9sSPY+/
goTjZJPiLLg=
=yQT7
-----END PGP SIGNATURE-----