Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2014
07:58 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Zero-Day Flaws Found, Patched In Siemens Switches

Researcher to release tool to test for the authentication flaws in the Siemens SCALANCE X-200 switch line

A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password.

Eireann Leverett, senior security consultant for IOActive, next week at the S4 ICS/SCADA conference in Miami will release his proof-of-concept code for users of the SCALANCE X-200 Switch family to test the flaws in their industrial control systems (ICS) environments. The researcher found the bugs a few months ago and reported them to Siemens, which last fall issued patches for the flaws -- within three months of being notified.

Whether ICS/SCADA customers will actually apply the patches or just how quickly they will do so is the big question. The aftermath of Stuxnet has pressured some major ICS vendors like Siemens to regularly respond to vulnerability discoveries in their products with patches and updates to their software. But their customers -- utilities and other process control operators -- don't routinely apply those patches. Overall, only 10 to 20 percent of organizations do so, mainly because they face the risk of a power or plant operation disruption caused by a newly patched system.

Leverett says releasing his PoC code is all about giving Siemens customers a chance to test what the newly discovered vulnerabilities could do. Many vulnerability and patch reports don't include enough specifics about the potential implications of the flaws, he says. "My personal goal is to make sure asset owners have a chance to say, 'How bad is it? What can I do with it?''

"If I give them the code ... then their Python guy can run it" and see firsthand that you don't need a password to update the firmware, for example.

The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the client's IP address so an attacker could then hijack the admin's Web-based session while managing the switch. "But you don't log onto these switches very often -- maybe once a year-- so, in that sense, it's a weak vulnerability," he says.

The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch -- no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. "The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it]," he says.

"Once I realized that you can change the firmware on the device, it was game over," he says. "You could have access to all traffic to the switch and exfiltrate data," figure out other features of the network, "sniff" other credentials, and upload malware-laden firmware, he says.

The SCALANCE switches are small, with eight Ethernet ports, and most likely run in small process control environments or in hardened outdoor networks, Leverett says. "I don't have a good sense in how often they are used in critical infrastructure [environments]," he says. Even so, both flaws are simple to exploit, he says.

Siemens issued updates to the SCALANCE X-200 switch firmware, to V5.0.1 and V5.1.2, which fixes the Web session hijacking bug (PDF) and Web server authentication flaw (PDF).

The vendor provided the security advisories it had issued for its customers in October when asked for an interview for this article.

"Siemens has been very helpful and produced the patches in a timeline that a couple of years ago would have felt impossible," Leverett says. "I'm going to use that to challenge the rest of the industry" to quickly respond and fix bugs, he says.

[ICS/SCADA expert Ralph Langner published a report looking at how Stuxnet shifted from super-stealthy to simpler, and dispels common misconceptions about the infamous Stuxnet attack on Iran's nuclear facility -- including the belief that only a nation-state could pull off a similar attack in the future. See Stuxnet's Earlier Version Much More Powerful And Dangerous, New Analysis Finds.]

Leverett says one purpose of his presentation at S4 next week is to urge ICS vendors to come clean with more specifics on flaws so their customers can better understand the risks and thus be more compelled to apply the patches.

"You find these vulnerabilities in ICS equipment all the time," Leverett says. "My talk [at S4] will be about how well vendors are informing end users about the security of their products, and how could we do that better ... We should be able to give them a more clear, unified response from all of us."

Siemens' advisory says this about the critical flaw: "An issue in the web server’s authentication of the affected products might allow attackers to perform administrative operations over the network without authentication."

Leverett says he understands that Siemens doesn't want to reveal too much in the advisory to prevent the flaw from being exploited, but more details in the advisory would be helpful. "Siemens did a really good job," he says. "But it would be better if Siemens ... [said], 'You can be unauthenticated and post to this device and upload new firmware, so you've got to patch,'" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.