Zero-Day Flaws Found, Patched In Siemens Switches

  /     /     /  
Publicated : 22/11/2024   Category : security


Zero-Day Flaws Found, Patched In Siemens Switches


Researcher to release tool to test for the authentication flaws in the Siemens SCALANCE X-200 switch line



A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password.
Eireann Leverett, senior security consultant for IOActive, next week at the S4 ICS/SCADA conference in Miami will release his proof-of-concept code for users of the SCALANCE X-200 Switch family to test the flaws in their industrial control systems (ICS) environments. The researcher found the bugs a few months ago and reported them to Siemens, which last fall issued patches for the flaws -- within three months of being notified.
Whether ICS/SCADA customers will actually apply the patches or just how quickly they will do so is the big question. The aftermath of Stuxnet has pressured some major ICS vendors like Siemens to regularly respond to vulnerability discoveries in their products with patches and updates to their software. But their customers -- utilities and other process control operators -- dont routinely apply those patches. Overall, only 10 to 20 percent of organizations do so, mainly because they face the risk of a power or plant operation disruption caused by a newly patched system.
Leverett says releasing his PoC code is all about giving Siemens customers a chance to test what the newly discovered vulnerabilities could do. Many vulnerability and patch reports dont include enough specifics about the potential implications of the flaws, he says. My personal goal is to make sure asset owners have a chance to say, How bad is it? What can I do with it?
If I give them the code ... then their Python guy can run it and see firsthand that you dont need a password to update the firmware, for example.
The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the clients IP address so an attacker could then hijack the admins Web-based session while managing the switch. But you dont log onto these switches very often -- maybe once a year-- so, in that sense, its a weak vulnerability, he says.
The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch -- no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it], he says.
Once I realized that you can change the firmware on the device, it was game over, he says. You could have access to all traffic to the switch and exfiltrate data, figure out other features of the network, sniff other credentials, and upload malware-laden firmware, he says.
The SCALANCE switches are small, with eight Ethernet ports, and most likely run in small process control environments or in hardened outdoor networks, Leverett says. I dont have a good sense in how often they are used in critical infrastructure [environments], he says. Even so, both flaws are simple to exploit, he says.
Siemens issued updates to the SCALANCE X-200 switch firmware, to V5.0.1 and V5.1.2, which fixes the
Web session hijacking bug
(PDF) and
Web server authentication flaw
(PDF).
The vendor provided the security advisories it had issued for its customers in October when asked for an interview for this article.
Siemens has been very helpful and produced the patches in a timeline that a couple of years ago would have felt impossible, Leverett says. Im going to use that to challenge the rest of the industry to quickly respond and fix bugs, he says.
[ICS/SCADA expert Ralph Langner published a report looking at how Stuxnet shifted from super-stealthy to simpler, and dispels common misconceptions about the infamous Stuxnet attack on Irans nuclear facility -- including the belief that only a nation-state could pull off a similar attack in the future. See
Stuxnets Earlier Version Much More Powerful And Dangerous, New Analysis Finds
.]
Leverett says one purpose of his presentation at S4 next week is to urge ICS vendors to come clean with more specifics on flaws so their customers can better understand the risks and thus be more compelled to apply the patches.
You find these vulnerabilities in ICS equipment all the time, Leverett says. My talk [at S4] will be about how well vendors are informing end users about the security of their products, and how could we do that better ... We should be able to give them a more clear, unified response from all of us.
Siemens advisory says this about the critical flaw: An issue in the web server’s authentication of the affected products might allow attackers to perform administrative operations over the network without authentication.
Leverett says he understands that Siemens doesnt want to reveal too much in the advisory to prevent the flaw from being exploited, but more details in the advisory would be helpful. Siemens did a really good job, he says. But it would be better if Siemens ... [said], You can be unauthenticated and post to this device and upload new firmware, so youve got to patch, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zero-Day Flaws Found, Patched In Siemens Switches