Siemens Security Advisory by Siemens ProductCERT SSA

Siemens Security Advisory by Siemens ProductCERT
SSA-345843:
Vulnerabilites in WinCC 7.2
Publication Date
Last Update
Current Version
CVSS Overall Score
2013-06-14
2013-06-24
V1.1
5.9
Summary:
WinCC Web Navigator is susceptible to three vulnerabilities which could be exploited over the
network. The first vulnerability is a SQL injection vulnerability which compromises the
confidentiality, integrity and availability of the affected system. The remaining two
vulnerabilities are located in the Web Navigator login and session management. If attackers
exploit such vulnerabilities they could circumvent the authentication or guess user names.
Siemens provides an update which fixes these vulnerabilities.
AFFECTED PRODUCTS
The following product versions are affected:
WinCC 7.2 and earlier
SIMATIC PCS7 V8.0 SP1 and earlier
DESCRIPTION
The Web Navigator component of WinCC gives users the possibility to control their plants via
web browser with the same look-and-feel as local operator stations. This Web Navigator
application is vulnerable to three different vulnerabilities. Attackers might access the Web
Navigator web application as authenticated user or perform read and write operations on the
database of the WinCC SQL database.
Detailed information about the vulnerabilities is provided below.
VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSSv2 scoring system
(http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's
environment and will impact the overall CVSS score. The environmental score should
therefore be individually defined by the customer to accomplish final scoring.
Vulnerability 1 (CVE-2013-3957)
Attackers might overcome the input filtering of the WinCC Web Navigator login screen
and inject SQL statements into queries. By manipulating the database, the attacker can
elevate his rights and, depending on the system configuration, might be able to gain full
system access.
CVSS Base Score
CVSS Temporal Score
CVSS Overall Score
7.5
5.9
5.9 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Vulnerability 2 (CVE-2013-3958)
Hard coded credentials are used in the Web Navigator login mechanism. Attackers with
network access and knowledge of the credentials could log into the Web Navigator web
applications as authenticated user.
CVSS Base Score
CVSS Temporal Score
CVSS Overall Score
SSA-345843
7.5
5.9
5.9 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
© Siemens AG 2013
Page 1 of 2
Siemens Security Advisory by Siemens ProductCERT
Vulnerability 3 (CVE-2013-3959)
A user with authenticated access to the Web Navigator web application can probe for
valid NetBIOS user names by manipulating URL parameters.
CVSS Base Score
CVSS Temporal Score
CVSS Overall Score
4.0
3.1
3.1 (AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
Mitigating factors:
The first two vulnerabilities can only be exploited if the attacker has network access to
the Web Navigator web interface.
SOLUTION
Siemens provides WinCC 7.2 Update 1 [1], which fixes the described vulnerabilities for both
affected products. Siemens recommends installing the update as soon as possible.
Note: Users of SIMATIC PCS7 with an earlier version as V8.0 SP1 must upgrade to this
version first, and then install WinCC 7.2 Update 1.
As a further mitigation measure Siemens strongly recommends to protect the network access
to the Web Navigator web interface with appropriate mechanism.
In general, Siemens strongly recommends to protect systems according to recommended
security practices [4] and to configure the environment according to operational guidelines [2]
in order to run the affected software components in a protected IT environment.
ACKNOWLEDGEMENT
Siemens thanks the following for their support and efforts:
Alexander Tlyapov, Sergey Gordeychik and Timur Yunusov from Positive
Technologies for coordinated disclosure of the vulnerabilities.
ADDITIONAL RESOURCES
1. The patch can be obtained here:
http://support.automation.siemens.com/WW/view/en/73443294
2. An overview of the operational guidelines for Industrial Security (with the cell protection
concept):
http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf
3. Information about Industrial Security by Siemens:
http://www.siemens.com/industrialsecurity
4. Recommended security practices by US-CERT:
http://ics-cert.us-cert.gov/content/recommended-practices
5. For further inquiries on vulnerabilities in Siemens products and solutions, please
contact the Siemens ProductCERT:
http://www.siemens.com/cert/advisories
HISTORY DATA
V1.0 (2013-06-14):
Publication Date
V1.1 (2013-06-24):
Updated Acknowledgement Section and Additional Resources
DISCLAIMER
See: http://www.siemens.com/terms_of_use
SSA-345843
© Siemens AG 2013
Page 2 of 2