German engineering and systems controls company Siemens AG, moved to patch a critical flaw on a number of its SCADA (supervisory control and data acquisition) products yesterday. The vulnerabilities enable remote attackers to steal files from Siemens SIMATIC WinCC SCADA servers and it is believed that the flaws have been exploited recently.
The existence of the flaws has prompted the United States Department of Homeland Security (DHS) to issue a warning to organizations using SCADA which the DHS said could be exploited remotely.
“These vulnerabilities allow for unauthenticated remote code execution,” the DHS said. “NCC/ICS-CERT (National Cybersecurity and Communications/Industrial Control Systems-Cyber Emergency Response Team) recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
An ICS-CERT advisory also said that “indicators exist that this vulnerability may have been exploited during a recent campaign.”
While it continues to roll out more patches, Siemens (OTCMKTS: SIEGY) said customers should mitigate risks by implementing the following:
- Always run WinCC server and engineering stations within a trusted network
- Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. activate feature “Encrypted Communications” in WinCCV7.3 (PCS 7 V8.1), or establish a VPN tunnel)
- Restrict access to the WinCC server to trusted entities
- Apply up-to-date application whitelisting software and virus scanners
Back in 2010, Siemens released updates for SCADA. This was linked to the discovery of the Stuxnet worm in infected PC in Iran. The worm targeted Siemen’s WinCC software.
In its latest bulletin, Siemens said it released software updates for WinCC, PC7 and TIA Portal and that the company is working on updates for other products affected by the flaws.
The company released a list of affected products:
SIMATIC WinCC
- V7.0 SP2 and earlier: All versions
- V7.0 SP3: All versions
- V7.2: All versions < V7.2 Update 9
- V7.3: All versions < V7.3 Update 2
SIMATIC PCS 7 (as WinCC is incorporated)
- V7.1 SP4 and earlier: All versions
- V8.0: All versions < V8.0 SP2 with WinCC V7.2 Update 9
- V8.1: All versions with WinCC V7.3 < Update 2
TIA Portal V13 (including WinCC Professional Runtime)
- All versions < V13 Update
SIMATIC WinCC is a SCADA system, PCS7 is a distribution control system (DCS) integrating SIMATIC WinCC, and TIA Portal is engineering software for SIMATIC products.
Vulnerability 1 (CVE-2014-8551) involves a component within WinCC which could allow remote execution for unauthenticated users if specially crafted packets are sent to the WinCC server.
Vulnerability 2 (CVE-2014-8552) involves a component within WinCC that could allow unauthenticated users to extract arbitrary files from the WinCC server if specially crafted packets are sent to the server.
In order for the exploit to succeed, attackers must have network access the affected system, said Siemens.
Siemens has released updates for the following products and the company recommended that customers upgrade to the new versions as soon as possible:
WinCC V7.2
- Upgrade to WinCC V7.2 Update 9 [2]
WinCC V7.3
- Upgrade to WinCC V7.3 Update 2 [3]
PCS 7 V8.0 SP2
- Upgrade to WinCC V7.2 Update 9 [2]
- Upgrade to OpenPCS 7 V8.0 SP1 Update 5 [4]
- Upgrade to Route Control V8.0 SP1 Update 4 [4]
- Upgrade to BATCH V8.0 SP1 Update 11 [4]
PCS 7 V8.1
- Upgrade to WinCC V7.3 Update 2 [3]
TIA Portal V13 (including WinCC Professional Runtime)
- Upgrade to WinCC V13
- Update 6 [1]
Siemens is preparing updates to WinCC V7.0 SP3 and earlier, PCS 7 V7.1 SP4 and earlier, and PCS 7 V8.1 with OpenPCS7, Route Control or BATCH.