Multiple vulnerabilities in Siemens SIMATIC panels



Published: 2018-11-14
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2018-13812
CVE-2018-13813
CVE-2018-13814
CWE-ID CWE-22
CWE-601
CWE-113
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Siemens SIMATIC WinCC
Server applications / SCADA systems

SIMATIC HMI MP Mobile Panel
Server applications / SCADA systems

SIMATIC HMI OP
Server applications / SCADA systems

SIMATIC HMI MP
Server applications / SCADA systems

SIMATIC HMI TP
Server applications / SCADA systems

SIMATIC WinCC Runtime Advanced
Server applications / SCADA systems

SIMATIC HMI KTP900F
Server applications / SCADA systems

SIMATIC HMI KTP900
Server applications / SCADA systems

SIMATIC HMI KTP700F
Server applications / SCADA systems

SIMATIC HMI KTP700
Server applications / SCADA systems

SIMATIC HMI KTP400F
Server applications / SCADA systems

SIMATIC HMI Comfort Outdoor Panels 7” & 15”
Server applications / SCADA systems

SIMATIC HMI Comfort Panels 4”-22”
Server applications / SCADA systems

SIMATIC WinCC Runtime Professional
Server applications / SCADA systems

SIMATIC WinCC (TIA Portal)
Server applications / SCADA systems

Vendor Siemens

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU15887

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13812

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to directory traversal. A remote attacker with network access to the integrated web server can conduct directory traversal attack and download of arbitrary files from the device.

Mitigation

Update the affected products to version 15 Update 4.

Vulnerable software versions

Siemens SIMATIC WinCC: before 15 Update 4

SIMATIC HMI MP Mobile Panel: before 15 Update 4

SIMATIC HMI OP: before 15 Update 4

SIMATIC HMI MP: before 15 Update 4

SIMATIC HMI TP: before 15 Update 4

SIMATIC WinCC Runtime Advanced: before 15 Update 4

SIMATIC HMI KTP900F: before 15 Update 4

SIMATIC HMI KTP900: before 15 Update 4

SIMATIC HMI KTP700F: before 15 Update 4

SIMATIC HMI KTP700: before 15 Update 4

SIMATIC HMI KTP400F: before 15 Update 4

SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 15 Update 4

SIMATIC HMI Comfort Panels 4”-22”: before 15 Update 4

SIMATIC WinCC Runtime Professional: before 15 Update 4

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-317-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Open redirect

EUVDB-ID: #VU15888

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13813

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URI.

The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary URI.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information

Mitigation

Update the affected products to version 15 Update 4.

Vulnerable software versions

Siemens SIMATIC WinCC: before 15 Update 4

SIMATIC HMI MP Mobile Panel: before 15 Update 4

SIMATIC HMI OP: before 15 Update 4

SIMATIC HMI MP: before 15 Update 4

SIMATIC HMI TP: before 15 Update 4

SIMATIC WinCC Runtime Advanced: before 15 Update 4

SIMATIC HMI KTP900F: before 15 Update 4

SIMATIC HMI KTP900: before 15 Update 4

SIMATIC HMI KTP700F: before 15 Update 4

SIMATIC HMI KTP700: before 15 Update 4

SIMATIC HMI KTP400F: before 15 Update 4

SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 15 Update 4

SIMATIC HMI Comfort Panels 4”-22”: before 15 Update 4

SIMATIC WinCC Runtime Professional: before 15 Update 4

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-317-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) HTTP header injection

EUVDB-ID: #VU15889

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13814

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject HTTP header on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can trick the victim into clicking on a malicious link and use integrated web server (Port 80/TCP and Port 443/TCP) inject HTTP headers.

Mitigation

Update all affected products to version 15 Update 4.

Vulnerable software versions

SIMATIC HMI Comfort Panels 4”-22”: before 15 Update 4

SIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 15 Update 4

SIMATIC HMI KTP900F: before 15 Update 4

SIMATIC HMI KTP900: before 15 Update 4

SIMATIC HMI KTP700F: before 15 Update 4

SIMATIC HMI KTP700: before 15 Update 4

SIMATIC HMI KTP400F: before 15 Update 4

SIMATIC WinCC Runtime Professional: before 15 Update 4

SIMATIC WinCC Runtime Advanced: before 15 Update 4

SIMATIC WinCC (TIA Portal): before 15 Update 4

SIMATIC HMI MP Mobile Panel: before 15 Update 4

SIMATIC HMI OP: before 15 Update 4

SIMATIC HMI MP: before 15 Update 4

SIMATIC HMI TP: before 15 Update 4

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-317-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###