August 21, 2015

Positive Technologies helps to eliminate critical vulnerabilities in Siemens and Schneider Electric SCADA systems


Ilya Karpov, a Positive Technologies expert, detected vulnerabilities in products intended for building automation systems in various industries — from petrochemical to power plants.

Ilya found a problem related to clear-text password storage in Schneider Electric systems — InTouch Machine Edition 2014 (version 7.1, Service Pack 3, Patch 4) and InduSoft Web Studio (7.1.3.4), as well as in their previous builds. The vulnerability that got the CVE-2015-1009 identifier and 6.4 base mark though cannot be exploited remotely requires only a low-qualified internal attacker.

Schneider Electric specialists recommend users to install new security updates as soon as possible (a patch for InTouch Machine Edition 2014 and a patch for InduSoft Web Studio) and restrict physical access of the personnel to these systems in order to decrease a potential risk of confidential information disclosure by internal attackers.

In July, Siemens issued a special update for the April note, where it thanked Ilya Karpov for detecting a dangerous and easy-to-use vulnerability that was threatening security of quite a few Siemens SIMATIC-based solutions:

  • SIMATIC HMI Basic Panels 2nd Generation — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
  • SIMATIC HMI Comfort Panels — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
  • SIMATIC WinCC Runtime Advanced — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
  • SIMATIC WinCC Runtime Professional — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
  • SIMATIC WinCC Runtime Professional — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
  • SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal) — all the versions up to WinCC (TIA Portal) V13 SP1 Upd4;
  • SIMATIC HMI Multi Panels (WinCC TIA Portal) — all the versions up to WinCC (TIA Portal) V13 SP1 Upd4;
  • SIMATIC WinCC V7.X — all the versions up to V7.3 Upd4;
  • SIMATIC PCS 7 — all the versions up to V8.1 SP1.

The CVE-2015-2823 error rated 6.8 allows using user password hash function in order to authenticate locally and remotely at the server. You don't even have to know the password.

All necessary tests for security issues detected in Siemens SIMATIC software have been added to the knowledge base of the PT MaxPatrol vulnerability and compliance control management system.

Positive Technologies started to cooperate with leading ICS vendors long ago. The large-scale study “SCADA safety in Numbers” was presented on 2012. A year later, PT experts created Choo Choo Pwn — an up-to-date large-scale railway model, whose components (trains, railroad crossing gates, and traffic lights) are controlled by an ICS based on three real SCADA systems. The model was used for SCADA security contest at Positive Hack Days, the annual international conference on information security.

In 2014, the contest infrastructure was significantly changed to allow detection of zero-day vulnerabilities within a wider range of systems and industrial protocols including: transport, city lighting system, power plants and various robots. The contest’s winner Alisa Shevchenko was thanked by Schneider Electric for the vulnerabilities she identified.  

This year's Choo Choo Pwn was even more realistic: the participants couldn't send a command leading to a failure because the traffic security logic wouldn't let that happen. So, the goal of the challenge was to break the transport security means.

44 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete