Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2014
07:58 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Zero-Day Flaws Found, Patched In Siemens Switches

Researcher to release tool to test for the authentication flaws in the Siemens SCALANCE X-200 switch line

A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password.

Eireann Leverett, senior security consultant for IOActive, next week at the S4 ICS/SCADA conference in Miami will release his proof-of-concept code for users of the SCALANCE X-200 Switch family to test the flaws in their industrial control systems (ICS) environments. The researcher found the bugs a few months ago and reported them to Siemens, which last fall issued patches for the flaws -- within three months of being notified.

Whether ICS/SCADA customers will actually apply the patches or just how quickly they will do so is the big question. The aftermath of Stuxnet has pressured some major ICS vendors like Siemens to regularly respond to vulnerability discoveries in their products with patches and updates to their software. But their customers -- utilities and other process control operators -- don't routinely apply those patches. Overall, only 10 to 20 percent of organizations do so, mainly because they face the risk of a power or plant operation disruption caused by a newly patched system.

Leverett says releasing his PoC code is all about giving Siemens customers a chance to test what the newly discovered vulnerabilities could do. Many vulnerability and patch reports don't include enough specifics about the potential implications of the flaws, he says. "My personal goal is to make sure asset owners have a chance to say, 'How bad is it? What can I do with it?''

"If I give them the code ... then their Python guy can run it" and see firsthand that you don't need a password to update the firmware, for example.

The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the client's IP address so an attacker could then hijack the admin's Web-based session while managing the switch. "But you don't log onto these switches very often -- maybe once a year-- so, in that sense, it's a weak vulnerability," he says.

The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch -- no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. "The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it]," he says.

"Once I realized that you can change the firmware on the device, it was game over," he says. "You could have access to all traffic to the switch and exfiltrate data," figure out other features of the network, "sniff" other credentials, and upload malware-laden firmware, he says.

The SCALANCE switches are small, with eight Ethernet ports, and most likely run in small process control environments or in hardened outdoor networks, Leverett says. "I don't have a good sense in how often they are used in critical infrastructure [environments]," he says. Even so, both flaws are simple to exploit, he says.

Siemens issued updates to the SCALANCE X-200 switch firmware, to V5.0.1 and V5.1.2, which fixes the Web session hijacking bug (PDF) and Web server authentication flaw (PDF).

The vendor provided the security advisories it had issued for its customers in October when asked for an interview for this article.

"Siemens has been very helpful and produced the patches in a timeline that a couple of years ago would have felt impossible," Leverett says. "I'm going to use that to challenge the rest of the industry" to quickly respond and fix bugs, he says.

[ICS/SCADA expert Ralph Langner published a report looking at how Stuxnet shifted from super-stealthy to simpler, and dispels common misconceptions about the infamous Stuxnet attack on Iran's nuclear facility -- including the belief that only a nation-state could pull off a similar attack in the future. See Stuxnet's Earlier Version Much More Powerful And Dangerous, New Analysis Finds.]

Leverett says one purpose of his presentation at S4 next week is to urge ICS vendors to come clean with more specifics on flaws so their customers can better understand the risks and thus be more compelled to apply the patches.

"You find these vulnerabilities in ICS equipment all the time," Leverett says. "My talk [at S4] will be about how well vendors are informing end users about the security of their products, and how could we do that better ... We should be able to give them a more clear, unified response from all of us."

Siemens' advisory says this about the critical flaw: "An issue in the web server’s authentication of the affected products might allow attackers to perform administrative operations over the network without authentication."

Leverett says he understands that Siemens doesn't want to reveal too much in the advisory to prevent the flaw from being exploited, but more details in the advisory would be helpful. "Siemens did a really good job," he says. "But it would be better if Siemens ... [said], 'You can be unauthenticated and post to this device and upload new firmware, so you've got to patch,'" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.