ESB-2017.3112 - [Appliance] Siemens Industrial Products: Denial of service - Remote/unauthenticated 2017-12-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3112
           Advisory (ICSA-17-339-01) Siemens Industrial Products
                              6 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Siemens Industrial Products
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12741  

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-17-339-01)

Siemens Industrial Products

Original release date: December 05, 2017

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

CVSS v3 7.5

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Siemens

Equipment: Industrial products

Vulnerability: Improper Input Validation

AFFECTED PRODUCTS

Siemens reports the vulnerability affects the following industrial products:

SIMATIC S7-200 Smart: All versions prior to V2.03.01,

SIMATIC S7-400 PN V6: All versions prior to V6.0.6,

SIMATIC S7-400 H V6: All versions,

SIMATIC S7-400 PN/DP V7: All versions,

SIMATIC S7-410 V8: All versions,

SIMATIC S7-300: All versions,

SIMATIC S7-1200: All versions,

SIMATIC S7-1500: All versions,

SIMATIC S7-1500 Software Controller: All versions,

SIMATIC WinAC RTX 2010 incl. F: All versions,

SIMATIC ET 200 Interface modules for PROFINET IO:

SIMATIC ET 200AL: All versions,

SIMATIC ET 200ecoPN: All versions,

SIMATIC ET 200M: All versions,

SIMATIC ET 200MP: All versions,

SIMATIC ET 200pro: All versions,

SIMATIC ET 200S: All versions, and

SIMATIC ET 200SP: All versions.

Development/Evaluation Kits for PROFINET IO:

DK Standard Ethernet Controller: All versions,

EK-ERTEC 200P: All versions prior to V4.5, and

EK-ERTEC 200 PN IO: All versions.

SIMOTION Firmware:

SIMOTION D: All versions prior to V5.1 HF1,

SIMOTION C: All versions prior to V5.1 HF1, and

SIMOTION P: All versions prior to V5.1 HF1.

SINAMICS:

SINAMICS DCM: All versions,

SINAMICS DCP: All versions,

SINAMICS G110M / G120(C/P/D) w. PN: All versions prior to V4.7 SP9 HF1,

SINAMICS G130 and G150: All versions,

SINAMICS S110 w. PN: All versions,

SINAMICS S120: All versions,

SINAMICS S150:

V4.7: All versions, and

V4.8: All versions.

SINAMICS V90 w. PN: All versions.

SINUMERIK 840D sl: All versions,

SIMATIC Compact Field Unit: All versions,

SIMATIC PN/PN Coupler: All versions,

SIMOCODE pro V PROFINET : All versions, and

SIRIUS Soft starter 3RW44 PN: All versions.

IMPACT

Successful exploitation of this vulnerability may allow a remote attacker to 
conduct a denial-of-service (DoS) attack.

MITIGATION

Siemens has provided firmware updates for the following products to fix the 
vulnerability:

SIMATIC S7-200 Smart: Update to V2.03.01:

https://support.industry.siemens.com/cs/cn/en/view/109749409 (link is 
external)

SIMATIC S7-400 PN V6: Update to V6.0.6:

https://support.industry.siemens.com/cs/de/en/view/109474874 (link is 
external)

EK-ERTEC 200P: Update to V4.5:

https://support.industry.siemens.com/cs/ww/en/view/109750012 (link is 
external)

SIMOTION D: Update to V5.1 HF1:

https://support.industry.siemens.com/cs/ww/en/view/31045047 (link is external)

SIMOTION C: Update to V5.1 HF1:

https://support.industry.siemens.com/cs/ww/en/view/31263919 (link is external)

SIMOTION P320-4: Update to V5.1 HF1:

Please contact a Siemens representative for information on how to obtain the 
update.

SINAMICS G110M / G120(C/P/D): Update to V4.7 SP9 HF1:

https://support.industry.siemens.com/cs/ww/en/view/109750507 (link is 
external)

Siemens is preparing further updates and recommends the following mitigations
until patches are available:

Disable SNMP if this is supported by the product (refer to the product 
documentation). Disabling SNMP fully mitigates the vulnerability

Protect network access to Port 161/UDP of affected devices

Apply cell protection concept

Use VPN for protecting network communication between cells

Apply Defense-in-Depth

Siemens recommends users configure the operational environment according to 
Siemens Operational Guidelines for Industrial Security:

https://www.siemens.com/cert/operational-guidelines-industrial-security (link
is external)

For more information on the vulnerability and more detailed mitigation 
instructions, please see Siemens Security Advisory SSA-346262 at the following
location:

http://www.siemens.com/cert/advisories (link is external)

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the 
risk of exploitation of this vulnerability. ICS-CERT reminds organizations to
perform proper impact analysis and risk assessment prior to deploying 
defensive measures.

ICS-CERT also provides a section for control systems security recommended 
practices on the ICS-CERT web page. Several recommended practices are 
available for reading and download, including Improving Industrial Control 
Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly 
available in the ICSCERT Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

VULNERABILITY OVERVIEW

IMPROPER INPUT VALIDATION CWE-20

Specially crafted packets sent to Port 161/UDP could cause a denial-of-service
condition. The affected devices must be restarted manually.

CVE-2017-12741 has been assigned to this vulnerability. A CVSS v3 base score 
of 7.5 has been assigned; the CVSS vector string is 
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

RESEARCHER

George Lashenko of CyberX reported the vulnerability to Siemens.

BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical 
Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov (link sends e-mail)

Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information: 
http://ics-cert.us-cert.gov

or incident reporting: https://ics-cert.us-cert.gov/Report-Incident?

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWic4xIx+lLeg9Ub1AQjcERAAmntCzKOa9mDkIFByw8HbdacvFdubAgu3
7Cgfkr2w4lYrxOm4aBVnqdb9j8Qd6BKpuAQpjqvi5zaXhMoRPEFemhFuCppEsVwh
arVzlWOzsOsKejuZCa6c6cdd2Xjfg/mh8+RWYV4aH2JcxEO9yHslvr3JRZNceOSN
O1SZzTQvyQw9R578obpIFDsHbAsdRHFylvbzk9UQZuG0H2JJtosYwHX4I1kX5U3l
HBPyE0tfl+2JfEDk5w6IQB3nbhI9fqtC9x59rG9iaBaX5kjotVRQen0C79WdJ/yF
Rtt60GVtLn2VYs4zhIlZdXpUU3cT402vi8+bRj4btuaeNrtNl2gMg2OskmZOx1oS
SIs3vyGR32pL4WXIJ4S7ogApXrrdfMOsaSciWsVxhNs7v1w38+fEN9dzwf77yaYH
cnIvbD6XnERbGMaVzB/5A9L9N8yvXa2icS/OpGVgjqkfazwD3kwFqCyOYpodUJj+
pRZxaOEVq0gD2N/d+tfq7dOSgPRO67zBqfvgCZjCP3pX34jhF3FcYRR0WajcaHH4
5782o5a+vty/MbeBqNIXUM7otHTvVGOgWAfp9JH5qB0RCjhjXCBJEE1z304yUv5I
O96LsBtCzkFr6661NvK/29I6sqj0eWsJTs4IJei0qBWEiJwIBe2t5wtihmvX9NeK
yTt9dh2Dzs8=
=R000
-----END PGP SIGNATURE-----

« Back to bulletins