The U.S. Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently published an advisory [PDF file] warning of seven vulnerabilities in Siemens' WinCC TIA (Totally Integrated Automation) Portal (h/t Threatpost).
The portal, which is used in a wide range of industries including food and beverage, water and wastewater, oil and gas, and chemical, is an HMI software package used for process visualization, operator control of a process, alarm display, process value and alarm archiving, and machine parameter management.
Researchers Billy Rios and Terry McCorkle of Cylance; Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov and Ilya Karpov of Positive Technologies; and Shawn Merdinger are credited with uncovering the flaws.
The vulnerabilities include insecure password storage (CVE-2011-4515), improper input validation that could be leveraged to crash the HMI's Web's application (CVE-2013-0669), a cross-site scripting vulnerability (CVE-2013-0672), and a directory traversal vulnerability (CVE-2013-0671), among others.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Still, the threat is limited -- the advisory notes that the vulnerabilities require access to user credentials, are not exploitable remotely, and can't be exploited without user interaction. ICS-CERT also notes that no known public exploits currently target the vulnerabilities.
Siemens has released a software update to fix the issues. In a security advisory [PDF file], the company explains, "All vulnerabilities are fixed in the new software version WinCC (TIA Portal) V12. As a workaround to close the Web-based vulnerabilities, the HMI's Web server may be disabled."