Date: 09 January 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0033
Siemens Automation License Manager Multiple Vulnerabilities
9 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens Automation License Manager
Publisher: US-CERT
Operating System: Windows XP
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Create Arbitrary Files -- Remote with User Interaction
Delete Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4532 CVE-2011-4531 CVE-2011-4530
CVE-2011-4529
Original Bulletin:
www.us-cert.gov/control_systems/pdf/ICSA-11-361-01.pdf
Comment: Publicly released PoC code exists for these vulnerabilities
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS-CERT Advisory ICSA-11-361-01
ICS-CERT ADVISORY
ICSA-11-361-01 SIEMENS AUTOMATION LICENSE MANAGER MULTIPLE VULNERABILITIES
December 27, 2011
OVERVIEW
This Advisory is a follow-up to the original Alert titled "ICS-ALERT-11-332-01A
- -Siemens Automation License Manager Multiple vulnerabilities" that was
published December 02, 2011, on the ICS-CERT web page.
ICS-CERT is aware of publicly disclosed reports of four vulnerabilities in
Siemens Automation License Manager (ALM) application. These vulnerabilities
include:
* Buffer overflow
* Exception
* Null pointer
* Improper input validation.
Independent researcher Luigi Auriemma publicly disclosed four vulnerabilities
along with proof-of-concept (PoC) exploit code without coordination from
Siemens, ICS-CERT, or any other coordinating entity known to ICS-CERT.
Siemens has confirmed these vulnerabilities and has released a patch to address
the issue. ICS-CERT has not validated the patch.
AFFECTED PRODUCTS
Siemens software products that include ALM Version 4.0 to 5.1+SP1+Upd1 are
affected by the buffer overflow, exception, and null pointer vulnerabilities.
Siemens software products that include ALM Version 2.0 to 5.1+SP1+Upd2 are
affected by the improper input validation vulnerability.
IMPACT
Successful exploitation of these vulnerabilities could result in denial of
service, write to memory, file corruption, or remote code execution.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of these vulnerabilities based on their operational environment, architecture,
and product implementation.
BACKGROUND
Siemens is a German multinational company headquartered in Munich with
activities in the fields of industry, energy, and healthcare.
Siemens ALM is an application that centrally manages licenses for various
Siemens products. The products contact ALM either locally or remotely to verify
their license. This software is used in many industries including: food and
beverage, water and wastewater, oil and gas, and chemical.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
BUFFER OVERFLOW
ALM does not check the length of a field used in various commands sent to the
server via TCP port 4410. This vulnerability may lead to remote code execution.
CVE-2011-4529 has been assigned to this vulnerability. A CVSS V2 base score
of 8.3 has also been calculated by Siemens. [a]
In multiple cases, ALM does not check the length of fields used in various
commands sent to the server via TCP Port 4410. These vulnerabilities cause
exceptions within the application, which cause the application to quit and
enable denial-of-service attacks.
CVE-2011-4530 has been assigned to this vulnerability. A CVSS V2 base score
of 6.1 has also been calculated by Siemens. [b]
NULL POINTER
ALM does not check the content of a field used for command sent to the server
via TCP port 4410. This vulnerability causes a null pointer dereference, which
cause the application to quit and enables a Denial-of-Service attack.
CVE-2011-4531 has been assigned to this vulnerability. A CVSS v2 base score of
6.1 has also been calculated by Siemens. [c]
IMPROPER INPUT VALIDATION
ALM uses an ActiveX control in its graphical user interface. This control
exports a method that allows saving a file to the local hard disk. A malicious
web site that the user accesses with Internet Explorer may delete the content
of any file on the system that the user is allowed to write to, and create new
files.
CVE-2011-4532 has been assigned to this vulnerability. A CVSS v2 base score of
8.8 has also been calculated by Siemens. [d]
VULNERABILITY DETAILS
EXPLOITABILITY
These vulnerabilities are remotely exploitable.
EXISTENCE OF EXPLOIT
Publicly released PoC code exists for these vulnerabilities.
DIFFICULTY
Crafting a working exploit for these vulnerabilities would require a moderate
skill level. Social engineering is required to exploit the improper input
validation vulnerability.
MITIGATION
Siemens has released a patch to its customers to address these vulnerabilities.
Customers of vulnerable versions of Siemens ALM should deploy the Siemens
patch available at: http://support.automation.siemens.com/WW/view/en/114358
For more information, please see Siemens Security Advisory announcement
available at: http://www.siemens.com/cert/advisories/
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
* Minimize network exposure for all control system devices. Critical
devices should not directly face the Internet.
*Locate control system networks and remote devices behind firewalls,
and isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPN is only as secure as the
connected devices.
The Control Systems Security Program (CSSP) also provides a section for control
system security recommended practices on the CSSP web page. Several recommended
practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [e]
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents. ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks:
1. Do not click web links or open unsolicited attachments in e-mail
messages
2. Refer to Recognizing and Avoiding Email Scams [f]
3. Refer to Avoiding Social Engineering and Phishing Attacks for
more information on avoiding e-mail scams [g]
REFERENCES
a. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4529, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
b. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4530, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4531, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
d. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4532, NIST use
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
e. CSSP Recommended Practices, for more information on social engineering
attacks.
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
website last accessed December 27, 2011.
f. Recognizing and Avoiding Email Scams,
http://www.us-cert.gov/reading_room/emailscams_0905.pdf,
website last accessed December 27, 2011.
g. National Cyber Alert System Cyber Security Tip ST04-014,
http://www.us-cert.gov/cas/tips/ST04-014.html,
website last accessed December 27, 2011.
ICS-CERT CONTACT
For any questions related to this report, please contact ICS-CERT at:
E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and
Incident Reporting: www.ics-cert.org
DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.
When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovry is always provided to the vulnerability reporter unless
the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT
encourages researchers to coordinate vulnerability details before public
release. The public release of vulnerability details prior to the development
of proper mitigations may put industrial control systems and the public at
avoidable risk.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwpxA+4yVqjM2NGpAQL41g/+N6BcnWfNM1fPCyBD5daLgtnGJB4OI3ik
lMf4fKbgfiG7RcRIOZQBRLuPX6DrF5x0zJKloGLzPxl2sgyH8WEw2h0RzpMAsgiV
8d36DVkXLp/FWaGpLBieRryKfhD+z9NRea75phpqUM0ZRj8hP72YeNEL0JFG95LG
qsaTaXRZXBt4IRxdVGGWCvFcRaEmj+8CxdyrI4twxkbX2063f6BuNSmPJxYKESg7
nzVeI5lJwpTzjdySwQ1luYtaTNZsA5LrtEHTmakngxDwKn8jXtnE43f/A3Nj2CEm
f2C3PuSVF/lIx9rIyw949hPfCN1TEp6B/zeNLSiIT00g6BT2q7VriJgXUSy908yM
cMcNbyJca04lf5Wol9XcDV3Vb/kX62gpdcCL7c6g5ehBKX9AxTH14Apu21Kx2S5c
MfSJ7lap9AWkl8jLI4mhdUw5lmv3fk/kFcDII3N+Xu3gEeoaTt8nOun5iQ2vqWAI
wIPq/qVW8awG/mFEEHy/nQHiGM8Y90I/cjmk255tFqCZB9BXBkA3iHqjuIK8Pn6b
csVBAXre2liLGOb4JQrQJNgNBn98lAcI7H3RnI4xuO5pXj9hRNppvXGi5RCSYymk
/TCkbqg/5DM8p7jwFtYUUIev9hQdNKg7mnL8bjlB55J+E7H/lBqPYuB/ykrMeEnX
8/P/SpivhFU=
=uJ4l
-----END PGP SIGNATURE-----
|