ICS-CERT Warns of Siemens SCADA Vulnerabilities


The U.S. Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently published an advisory [PDF file] warning of seven vulnerabilities in Siemens' WinCC TIA (Totally Integrated Automation) Portal (h/t Threatpost).

The portal, which is used in a wide range of industries including food and beverage, water and wastewater, oil and gas, and chemical, is an HMI software package used for process visualization, operator control of a process, alarm display, process value and alarm archiving, and machine parameter management.

Researchers Billy Rios and Terry McCorkle of Cylance; Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov and Ilya Karpov of Positive Technologies; and Shawn Merdinger are credited with uncovering the flaws.

The vulnerabilities include insecure password storage (CVE-2011-4515), improper input validation that could be leveraged to crash the HMI's Web's application (CVE-2013-0669), a cross-site scripting vulnerability (CVE-2013-0672), and a directory traversal vulnerability (CVE-2013-0671), among others.

Still, the threat is limited -- the advisory notes that the vulnerabilities require access to user credentials, are not exploitable remotely, and can't be exploited without user interaction. ICS-CERT also notes that no known public exploits currently target the vulnerabilities.

Siemens has released a software update to fix the issues. In a security advisory [PDF file], the company explains, "All vulnerabilities are fixed in the new software version WinCC (TIA Portal) V12. As a workaround to close the Web-based vulnerabilities, the HMI's Web server may be disabled."