ICS CERT Warns of New SCADA Vulnerabilities

[This article was taken from the March 25 DHS “Open Source” Report.]

The Department of Homeland Security and the ICS-CERT have issued an advisory warning of serious vulnerabilities in Siemens industrial control software deployed in a number of industries including water, gas and oil, and chemical.

Siemens said it has patched the flaws in a new version of its WinCC TIA Portal. The software is an HMI, or Human Machine Interface, package that is an interface between a programmable logic controller (PLC) and the operator. HMIs offer process visualization and other functions giving operators a visual representation of an industrial process.  The Siemens advisory and patch details can be found here.  ICS-CERT said an attacker with low to medium skill could exploit the flaws.  [However] An attacker would have to use social engineering to gain access to a vulnerable portal, or possess valid user credentials.

ICS-CERT said no public exploits are in the wild.

In addition to the password issue, researchers also discovered an input validation issue that could crash the HMI Web application, as well as a cross-site scripting vulnerability that could allow an authenticated user to store malicious Javascript that would be run by a user visiting an infected page. The researchers also found a directory traversal bug that could give an attacker access to the Web app’s source code by simply manipulating a URL.

In addition, separate HTTP response splitting, server-side script injection and a reflecting cross-site scripting flaw were discovered that would either display restricted data to a user or enable an attacker to run malicious Javascript.

“All vulnerabilities are fixed in the new software version WinCC (TIA Portal) V12. As a workaround to close the Web-based vulnerabilities, the HMI’s Web server may be disabled,” ICS-CERT said.


Comments are closed.