Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2014
07:58 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Zero-Day Flaws Found, Patched In Siemens Switches

Researcher to release tool to test for the authentication flaws in the Siemens SCALANCE X-200 switch line

A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password.

Eireann Leverett, senior security consultant for IOActive, next week at the S4 ICS/SCADA conference in Miami will release his proof-of-concept code for users of the SCALANCE X-200 Switch family to test the flaws in their industrial control systems (ICS) environments. The researcher found the bugs a few months ago and reported them to Siemens, which last fall issued patches for the flaws -- within three months of being notified.

Whether ICS/SCADA customers will actually apply the patches or just how quickly they will do so is the big question. The aftermath of Stuxnet has pressured some major ICS vendors like Siemens to regularly respond to vulnerability discoveries in their products with patches and updates to their software. But their customers -- utilities and other process control operators -- don't routinely apply those patches. Overall, only 10 to 20 percent of organizations do so, mainly because they face the risk of a power or plant operation disruption caused by a newly patched system.

Leverett says releasing his PoC code is all about giving Siemens customers a chance to test what the newly discovered vulnerabilities could do. Many vulnerability and patch reports don't include enough specifics about the potential implications of the flaws, he says. "My personal goal is to make sure asset owners have a chance to say, 'How bad is it? What can I do with it?''

"If I give them the code ... then their Python guy can run it" and see firsthand that you don't need a password to update the firmware, for example.

The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the client's IP address so an attacker could then hijack the admin's Web-based session while managing the switch. "But you don't log onto these switches very often -- maybe once a year-- so, in that sense, it's a weak vulnerability," he says.

The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch -- no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. "The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it]," he says.

"Once I realized that you can change the firmware on the device, it was game over," he says. "You could have access to all traffic to the switch and exfiltrate data," figure out other features of the network, "sniff" other credentials, and upload malware-laden firmware, he says.

The SCALANCE switches are small, with eight Ethernet ports, and most likely run in small process control environments or in hardened outdoor networks, Leverett says. "I don't have a good sense in how often they are used in critical infrastructure [environments]," he says. Even so, both flaws are simple to exploit, he says.

Siemens issued updates to the SCALANCE X-200 switch firmware, to V5.0.1 and V5.1.2, which fixes the Web session hijacking bug (PDF) and Web server authentication flaw (PDF).

The vendor provided the security advisories it had issued for its customers in October when asked for an interview for this article.

"Siemens has been very helpful and produced the patches in a timeline that a couple of years ago would have felt impossible," Leverett says. "I'm going to use that to challenge the rest of the industry" to quickly respond and fix bugs, he says.

[ICS/SCADA expert Ralph Langner published a report looking at how Stuxnet shifted from super-stealthy to simpler, and dispels common misconceptions about the infamous Stuxnet attack on Iran's nuclear facility -- including the belief that only a nation-state could pull off a similar attack in the future. See Stuxnet's Earlier Version Much More Powerful And Dangerous, New Analysis Finds.]

Leverett says one purpose of his presentation at S4 next week is to urge ICS vendors to come clean with more specifics on flaws so their customers can better understand the risks and thus be more compelled to apply the patches.

"You find these vulnerabilities in ICS equipment all the time," Leverett says. "My talk [at S4] will be about how well vendors are informing end users about the security of their products, and how could we do that better ... We should be able to give them a more clear, unified response from all of us."

Siemens' advisory says this about the critical flaw: "An issue in the web server’s authentication of the affected products might allow attackers to perform administrative operations over the network without authentication."

Leverett says he understands that Siemens doesn't want to reveal too much in the advisory to prevent the flaw from being exploited, but more details in the advisory would be helpful. "Siemens did a really good job," he says. "But it would be better if Siemens ... [said], 'You can be unauthenticated and post to this device and upload new firmware, so you've got to patch,'" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...