ESB-2017.2903.3 - UPDATE [Appliance] Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products: Multiple vulnerabilities 2017-12-20

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2903.3
        Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products
                             20 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SCALANCE
                   SIMATIC
                   RUGGEDCOM
                   SINAMICS
Publisher:         Siemens
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13088 CVE-2017-13087 CVE-2017-13086
                   CVE-2017-13084 CVE-2017-13082 CVE-2017-13081
                   CVE-2017-13080 CVE-2017-13079 CVE-2017-13078
                   CVE-2017-13077  

Reference:         ESB-2017.2600
                   ESB-2017.2599
                   ESB-2017.2601.3

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-17-318-01B

Revision History:  December 20 2017: Updated affected products and mitigations (patches)
                   December  6 2017:  This updated advisory contains mitigation details for security features vulnerabilities in the Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products.
                   November 15 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Vendor: Siemens

Equipment: SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products

Vulnerabilities: Security Features

UPDATE INFORMATION

This updated advisory is a follow-up to the updated advisory titled
ICSA-17-318-01A Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products
that was published December 5, 2017, on the NCCIC/ICS-CERT web site.

AFFECTED PRODUCTS

- --------- Begin Update B Part 1 of 2 --------

Siemens reports that the key reinstallation attacks (KRACK) potentially affect
the following Siemens industrial products:

  * SCALANCE W1750D: All versions,
  * SCALANCE WLC711: All versions,
  * SCALANCE WLC712: All versions,
  * SCALANCE W-700 (IEEE 802.11n): All versions prior to V6.2.1,
  * SCALANCE W-700 (IEEE 802.11a/b/g): All versions,
  * SIMATIC IWLAN-PB/LINK: All versions,
  * RUGGEDCOM RX1400 with WLAN interface: All versions prior to V2.11.2,
  * RUGGEDCOM RS9xxW: All versions,
  * SIMATIC Mobile Panel 277(F) IWLAN: All versions,
  * SIMATIC ET200 PRO IM154-6 PN IWLAN: All versions
  * SINAMICS V20 Smart Access Module: All versions, and
  * SIMATIC RF350M: All versions with Summit Client Utility prior to V22.3.5.16
  * SIMATIC RF650M: All versions with Summit Client Utility prior to
    V22.3.5.16.

- --------- End Update B Part 1 of 2 ----------

IMPACT

Successful exploitation of these vulnerabilities could potentially allow an
attacker within the radio range of the wireless network to decrypt, replay, or
inject forged network packets into the wireless communication.

MITIGATION

- --------- Begin Update B Part 2 of 2 --------

Siemens has provided the following updates to address the vulnerabilities in
the affected products:

  * SCALANCE W-700 (IEEE 802.11n): V6.2.1:

https://support.industry.siemens.com/cs/ww/en/view/109752596

  * RUGGEDCOM ROX II for RX1400 with WLAN interface: V2.11.2:

Contact the RUGGEDCOM support team at: https://support.industry.siemens.com/my/
WW/en/requests#createRequest

  * SIMATIC RF350M and SIMATIC RF650M: V22.3.5.16 from:

https://support.industry.siemens.com/cs/ww/en/view/109752556

- --------- End Update B Part 2 of 2 ----------

SCALANCE W1750D devices are not vulnerable in the default configuration. Only
users who enable the ?Mesh? or ?WiFi uplink? functionality are affected by the
vulnerabilities. Disabling these functionalities will completely mitigate the
vulnerabilities.

SCALANCE WLC711 and WLC712 can deactivate IEEE 802.11r, ?MeshConnect,? and
?Client Bridge Mode? to reduce the risk, provided these modes have been
activated and are not required for the operation of the wireless environment.
All three functions are turned off by default.

SCALANCE W-700 standalone Access Points, RUGGEDCOM RX1400 and RS9xxW, are not
vulnerable if operated in Access Point mode.

SCALANCE W-700 standalone devices, SIMATIC Mobile Panel 277F IWLAN, and SIMATIC
ET200 WLAN, are not affected if the iPCF, iPCF-MC, or iPCF-HT features are
enabled.

For the remaining affected products or if the mitigations outlined previously
cannot be implemented, Siemens recommends the following mitigations in the
meantime:

  * Ensure multiple layers of security. Do not depend on the security of WPA2
    alone.
  * Use WPA2-CCMP (AES) instead of WPA2-TKIP or WPA-GCMP, if supported by the
    WLAN clients, to reduce the risk of potential attacks.
  * Apply defense-in-depth.

https://www.siemens.com/cert/operational-guidelines-industrial-security

For more information on this vulnerability and more detailed mitigation
instructions, please see Siemens Security Advisory SSA-901333 at the following
location:

http://www.siemens.com/cert/en/cert-security-advisories.htm

ICS-CERT reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available
in the ICS?CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber
Intrusion Detection and Mitigation Strategies, that is available for download
from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.

These vulnerabilities have been publicly disclosed. These vulnerabilities are
exploitable from an adjacent network. High skill level is needed to exploit.

VULNERABILITY OVERVIEW

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) allows reinstallation of the pairwise key
in the four-way handshake.

CVE-2017-13077 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) allows reinstallation of the group
temporal key (GTK) during the four-way handshake, allowing an attacker within
radio range to replay frames from access points to clients.

CVE-2017-13078 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11w allows
reinstallation of the integrity group temporal key (IGTK) during the four-way
handshake, allowing an attacker within radio range to spoof frames from access
points to clients.

CVE-2017-13079 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:H/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) allows reinstallation of the group
temporal key (GTK) during the group key handshake, allowing an attacker within
radio range to replay frames from access points to clients.

CVE-2017-13080 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11w allows
reinstallation of the integrity group temporal key (IGTK) during the group key
handshake, allowing an attacker within radio range to spoof frames from access
points to clients.

CVE-2017-13081 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11r allows
reinstallation of the pairwise transient key (PTK) temporal key (TK) during the
fast BSS transmission (FT) handshake, allowing an attacker within radio range
to replay, decrypt, or spoof frames.

CVE-2017-13082 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) allows reinstallation of the
station-to-station-link (STSL) transient key (STK) during the PeerKey
handshake, allowing an attacker within radio range to replay, decrypt, or spoof
frames.

CVE-2017-13084 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) allows reinstallation of the tunneled
direct-link setup (TDLS) peer key (TPK) during the TDLS handshake, allowing an
attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13086 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) that support 802.11v allows
reinstallation of the group temporal key (GTK) when processing a wireless
network management (WNM) sleep mode response frame, allowing an attacker within
radio range to replay frames from access points to clients.

CVE-2017-13087 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

SECURITY FEATURES CWE-254

Wi-Fi protected access (WPA and WPA2) that support 802.11v allows
reinstallation of the integrity group temporal key (IGTK) when processing a
wireless network management (WNM) sleep mode response frame, allowing an
attacker within radio range to replay frames from access points to clients.

CVE-2017-13088 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L
/I:L/A:N).

RESEARCHER

Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium, discovered
these vulnerabilities.

BACKGROUND

Critical Infrastructure Sectors: Chemical, Energy, Food and Agriculture,
Healthcare and Public Health, Transportation Systems, and Water and Wastewater
Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://
ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjoMVox+lLeg9Ub1AQgTexAAjTARWmWwWQdcToTq4y6mO0wqKOrf6+j+
dNV+z97ptRpbkRZiLZxxZ0b6XntAsRgutz/fBSqDvBOAtL+ZmAWlXZ42r1ygwJGC
AfHNyAMz2/kJ9HbuAaj3xyR1ilb67EHKrwPjDaqvsBRs/XmGA057gXANPmnKCUBh
+D4hVQTHXYDfPNBCzF5a7PPLx9mU35SyT2nrc/LwaJUYFDEtT66nd/eip47/WgIa
u1YBUZXkBhloUXkhlImubI732EHjmhe2IUNqt2RxPvRYpGfYxiOmMyDRl/7TA7NO
BgH155W/7ZaoHZZptk459m/fvpuPfZ2kyX6VXjpZgW5FbqAp6QueDpPLrVnoAaUw
2fDLIviwYAdcK6tuyb9XVchJQSiG6671WXW8U2bFgerOydfevAKpO6yILVl1hZ/3
9+0fruC+zUPSD3TDXpKtdbIBXHsHs6jwxV6Sg0NO/etGXF+nH5mfs9Cl6uT+8jNu
hQ8Ms7NPxaBlyQ6/uANx5jQHADt8N3MsTxeNnxHNtWT3jHoTcUsaftjpNKQm89fM
l+5WCcmtvk0Z/wPzF++6wtM+I0ZMvvs17jxqV+f0naDSH0qkHh3nprM7LM6gJb/l
lTmMiFFQeF1S/SD6SNepv2yVnR+OyztBF5jMCMPPQzIfN/UjwY7wLh2h6LUObqxG
qW5KzgaVcXY=
=APpZ
-----END PGP SIGNATURE-----

« Back to bulletins