Information disclosure in Siemens industrial products

1) XXE attack

EUVDB-ID: #VU8071

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-12069

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct XXE attack on the target system.

The weakness exists in the encryption library due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A remote attacker can send specially crafted packets to the OPC Discovery Server at Port 4840/TCP and cause the system to access various resources chosen by the attacker.

Successful exploitation of the vulnerability may result in information disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIMATIC NET PC Software: All versions

SIMATIC PCS 7: 7.1 - 8.1

Siemens SIMATIC WinCC: 7.0 - 7.4

SIMATIC WinCC Runtime Professional: 13.0 - 14.0

SIMATIC IT Production Suite: All versions

External links

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.