Siemens Security Advisory by Siemens ProductCERT SSA-487246: Vulnerabilities in SIMATIC HMI Devices Publication Date Last Update Current Version CVSS Overall Score 2015-04-08 2015-08-27 1.2 5.6 Summary: The latest updates for the affected products fix three vulnerabilities. The most severe of these vulnerabilities could allow an attacker to perform a Denial-of-Service attack against HMI panels under certain conditions. AFFECTED PRODUCTS · SIMATIC HMI Basic Panels 2nd Generation: o · · · SIMATIC HMI Comfort Panels: o V12: All versions < WinCC (TIA Portal) V12 SP1 Upd5 o V13: All versions < WinCC (TIA Portal) V13 SP1 Upd2 SIMATIC WinCC Runtime Advanced: o V12: All versions < WinCC Runtime Advanced V12 SP1 Upd5 o V13: All versions < WinCC Runtime Advanced V13 SP1 Upd2 SIMATIC WinCC Runtime Professional: o · · · · · · V13: All versions < WinCC (TIA Portal) V13 SP1 Upd2 V13: All versions < WinCC (TIA Portal) V13 SP1 Upd2 SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal): o V12: All versions < WinCC (TIA Portal) V12 SP1 Upd5 o V13: All versions < WinCC (TIA Portal) V13 SP1 Upd4 SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal): o V12: All versions < WinCC (TIA Portal) V12 SP1 Upd5 o V13: All versions < WinCC (TIA Portal) V13 SP1 Upd4 SIMATIC HMI Multi Panels (WinCC TIA Portal): o V12: All versions < WinCC (TIA Portal) V12 SP1 Upd5 o V13: All versions < WinCC (TIA Portal) V13 SP1 Upd4 SIMATIC NET PC-Software V12 and V13: o SIMATIC NET PC-Software V12: All versions < V12 SP2 HF3 o SIMATIC NET PC-Software V13: All versions < V13 HF1 SIMATIC WinCC V7.X: o All versions prior to V7.2 o V7.2: All version < V7.2 Upd11 o V7.3: All versions < V7.3 Upd4 SIMATIC Automation Tool: All versions < V1.0.2 SSA-487246 © Siemens AG 2015 Page 1 of 4 Siemens Security Advisory by Siemens ProductCERT DESCRIPTION SIMATIC HMI Panels, SIMATIC WinCC Runtime Advanced, and SIMATIC WinCC Runtime Professional are used for operator control and monitoring of machines and plants. SIMATIC NET PC-Software is required for communication between controller (SIMATIC S7 controller) and PC based solutions (e.g. SIMATIC WinCC). SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system. It is used to monitor and control physical processes involved in industry and infrastructure on a large scale and over long distances. SIMATIC Automation Tool allows commissioning, adjusting and service in combination with S7-1200 and S7-1500 Controllers without engineering framework. Detailed information about the vulnerabilities is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. Vulnerability 1 (CVE-2015-1601) Attackers with access to the network path between PLCs and their communication partners could possibly intercept or modify Siemens industrial communications at port 102/tcp and conduct a Man-in-the-Middle attack. This vulnerability affects all listed products. CVSS Base Score CVSS Temporal Score CVSS Overall Score 5.8 4.5 4.5 (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C) Vulnerability 2 (CVE-2015-2822) Attackers with access to the network path between an HMI panel and a PLC (Man-in-theMiddle) could possibly conduct a Denial-of-Service attack against the HMI panel by sending specially crafted packets to the HMI (port 102/tcp). This vulnerability affects SIMATIC WinCC Comfort Panels and SIMATIC WinCC Runtime Advanced. CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.1 5.6 5.6 (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Vulnerability 3 (CVE-2015-2823) If attackers obtain password hashes for SIMATIC WinCC users, they could possibly use the hashes to authenticate themselves. This vulnerability affects SIMATIC WinCC. CVSS Base Score CVSS Temporal Score CVSS Overall Score 6.8 5.3 5.3 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) Mitigating factors For vulnerability 1 and 2, the attacker must have access to the network path between communication parties. For vulnerability 3, the attacker must obtain a password hash. Siemens recommends operating the affected products only within trusted networks [10]. SSA-487246 © Siemens AG 2015 Page 2 of 4 Siemens Security Advisory by Siemens ProductCERT SOLUTION Siemens provides updates for the following products and recommends customers to update to the new fixed versions: · SIMATIC HMI Basic Panels 2nd Generation: o · · · SIMATIC HMI Comfort Panels: o V12: Update to WinCC (TIA Portal) V12 SP1 Upd5 [7] o V13: Update to WinCC (TIA Portal) V13 SP1 Upd2 [1] SIMATIC WinCC Runtime Advanced: o V12: Update to V12 SP1 Upd5 [8] o V13: Update to V13 SP1 Upd2 [2] SIMATIC WinCC Runtime Professional: o · · · · · · V13: Update to WinCC (TIA Portal) V13 SP1 Upd2 [1] V13: Update to V13 SP1 Upd2 [3] SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal): o V12: Update to WinCC (TIA Portal) V12 SP1 Upd5 [7] o V13: Update to WinCC (TIA Portal) V13 SP1 Upd4 [1] SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal): o V12: Update to WinCC (TIA Portal) V12 SP1 Upd5 [7] o V13: Update to WinCC (TIA Portal) V13 SP1 Upd4 [1] SIMATIC HMI Multi Panels (WinCC TIA Portal): o V12: Update to WinCC (TIA Portal) V12 SP1 Upd5 [7] o V13: Update to WinCC (TIA Portal) V13 SP1 Upd4 [1] SIMATIC NET PC-Software V12 and V13: o SIMATIC NET PC-Software V12: Update to V12 SP2 HF3 [4] o SIMATIC NET PC-Software V13: Update to V13 HF1 [4] SIMATIC WinCC V7.X: o V7.2 and all versions prior to V7.2: Update to V7.2 Upd11 [9] o V7.3: Update to V7.3 Upd4 [5] SIMATIC Automation Tool: Update to V1.0.2 [6] Until patches can be applied, Siemens recommends customers to mitigate the risk of their products by implementing the following steps: · Apply cell protection concept [10] · Use VPN for protecting network communication between cells · Apply Defense-in-Depth [11] As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms. It is advised to configure the environment according to our operational guidelines [10] in order to run the devices in a protected IT environment. SSA-487246 © Siemens AG 2015 Page 3 of 4 Siemens Security Advisory by Siemens ProductCERT ACKNOWLEDGEMENT Siemens thanks the following for their support and efforts: · Quarkslab team for coordinated disclosure of vulnerability 1 and 2. · Ilya Karpov from Positive Technologies for coordinated disclosure of vulnerability 3. ADDITIONAL RESOURCES [1] Update 4 and Update 2 for SIMATIC WinCC (TIA Portal) V13 SP1 can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/109311724 [2] Update 2 for SIMATIC WinCC Runtime Advanced V13 SP1 can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/109311423 [3] Update 2 for SIMATIC WinCC Runtime Professional V13 SP1 can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/109439573 [4] Updates for SIMATIC NET PC-Software can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/109475388 [5] Update 4 for SIMATIC WinCC V7.3 can be obtained here: https://support.industry.siemens.com/cs/de/en/view/109475497 [6] Update 2 for SIMATIC Automation Tool can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/98161300 [7] Update 5 for SIMATIC WinCC (TIA Portal) V12 SP1 can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/78683919 [8] Update 5 for SIMATIC WinCC Runtime Advanced V12 SP1 can be obtained here: https://support.industry.siemens.com/cs/ww/en/view/79684570 [9] Update 11 for SIMATIC WinCC V7.2 can be obtained here: https://support.industry.siemens.com/cs/de/en/view/109478834 [10] An overview of the operational guidelines for Industrial Security (with the cell protection concept): https://www.siemens.com/cert/operational-guidelines-industrial-security [11] Further information about Defense-in-Depth: http://www.industry.siemens.com/topics/global/en/industrialsecurity/concept/Pages/defense-in-depth.aspx [12] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [13] For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2015-04-08): V1.1 (2015-07-21): V1.2 (2015-08-27): Publication Date Added update information for SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal), SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal), and SIMATIC HMI Multi Panels (WinCC TIA Portal) Added updates for TIA V12 SP1 devices and WinCC V7.2 DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-487246 © Siemens AG 2015 Page 4 of 4