Flaws in Siemens Tool Put ICS Environments at Risk
9.8.18 securityweek ICS
Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.
The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.
Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.
One of them, CVE-18-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.
Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.
The second vulnerability, CVE-18-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.
“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”
Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.
Nozomi believes these types of flaws can pose a significant risk to ICS environments.
“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.