Multiple vulnerabilities in Siemens SICLOCK TC



Published: 2018-07-05
Risk High
Patch available NO
Number of vulnerabilities 6
CVE-ID CVE-2018-4851
CVE-2018-4852
CVE-2018-4853
CVE-2018-4854
CVE-2018-4855
CVE-2018-4856
CWE-ID CWE-20
CWE-592
CWE-264
CWE-300
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Vulnerable software
Subscribe 		SICLOCK TC400
Client/Desktop applications / Other client software

SICLOCK TC100
Client/Desktop applications / Other client software

Vendor Siemens

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU13567

Risk: Low

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-4851

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send certain packets and cause the device to reboot.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Authentication bypass

EUVDB-ID: #VU13568

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4852

CWE-ID: CWE-592 - Authentication Bypass Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication on the target system.
The weakness exists due to unspecified flaw. A remote attacker who is able to obtain certain knowledge specific to the attacked device, can circumvent the authentication mechanism to read and modify the device configuration.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Privilege escalation

EUVDB-ID: #VU13569

Risk: Low

CVSSv3.1: 9.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4853

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to unspecified flaw. A remote attacker with network access to port 69/udp, can modify the firmware and run his own code on the device.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Privilege escalation

EUVDB-ID: #VU13570

Risk: High

CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4854

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to unspecified flaw. A remote attacker with network access to port 69/udp, can download and execute the modified client from the affected device and execute arbitrary code with elevated privileges.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Man-in-the-middle attack

EUVDB-ID: #VU13571

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4855

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct man-in the-middle attack on the target system.
The weakness exists due to unencrypted storage of passwords in the client configuration files. A remote attacker in a privileged position, can intercept the communication between the affected device and the administrative client and obtain access passwords during network transmission.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Security restrictions bypass

EUVDB-ID: #VU13572

Risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4856

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to unspecified flaw. A remote attacker with administrative access to the device’s management interface, can lock out legitimate users.

Mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###