-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1716
                 Advisory (ICSA-19-134-*) Siemens Products
                                15 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Siemens Products
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10924 CVE-2019-10922 CVE-2019-10921
                   CVE-2019-10920 CVE-2019-10919 CVE-2019-10918
                   CVE-2019-10917 CVE-2019-10916 CVE-2019-6578
                   CVE-2019-6577 CVE-2019-6576 CVE-2019-6574
                   CVE-2019-6572 CVE-2018-16417 CVE-2018-7084
                   CVE-2018-7083 CVE-2018-7082 CVE-2018-7064

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-02-0
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-03
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-04
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-05
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-06
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-07
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-08
   https://ics-cert.us-cert.gov/advisories/ICSA-19-134-09

Comment: This bulletin contains eight (8) ICS-CERT security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-19-134-02)

Siemens SIMATIC WinCC and SIMATIC PCS 7

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC WinCC and SIMATIC PCS 7
  o Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated
attacker with access to the affected devices to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following SIMATIC products:

  o SIMATIC PCS 7 v8.0 and earlier
  o SIMATIC PCS 7 v8.1 and newer (if "Encrypted Communication" is disabled)
  o SIMATIC WinCC v7.2 and earlier
  o SIMATIC WinCC v7.3 and newer (if "Encrypted Communication" is disabled)

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

If affected installations do not have "Encrypted Communication" configured, an
unauthenticated attacker with network access may be able to execute arbitrary
code.

CVE-2019-10922 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Vladimir Dashchenko and Sergey Temnikov from Kaspersky Lab reported this
vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends the following mitigations:

  o Upgrade SIMATIC WinCC to v7.3 or newer.
  o Upgrade SIMATIC PCS 7 to v8.1 or newer.
  o Enable "Encrypted Communications" (some newer versions have this enabled by
    default).
  o Apply defense-in-depth concepts.

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure their
environment according to Siemens' operational guidelines for industrial
security and follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on the vulnerability and more detailed mitigation
instructions, please see Siemens security advisory SSA-705517 at the following
location:

http://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-03)

Siemens LOGO! Soft Comfort

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 7.8
  o ATTENTION: Low skill level to exploit
  o Vendor: Siemens
  o Equipment: LOGO! Soft Comfort
  o Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to
execute arbitrary code if the attacker tricks a legitimate user into opening a
manipulated project.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following engineering
software to configure and program LOGO! controllers:

  o LOGO! Soft Comfort: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The vulnerability could allow an attacker to execute arbitrary code if the
attacker tricks a legitimate user into opening a manipulated project. In order
to exploit the vulnerability, a valid user must open a manipulated project
file.

CVE-2019-10924 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Transportation
    Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

axt working with iDefense Labs reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends that users only open projects from trusted sources.

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and
following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact Siemens ProductCERT:

https://www.siemens.com/cert/advisories

For more information on this vulnerability and associated software updates,
please see Siemens security advisory SSA-102144 on their website:

https://www.siemens.com/cert/advisories

NCCIC recommends users take the following measures to protect themselves from
social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability. This
vulnerability is not exploitable remotely.

- -----------------------------------------------------------------------------

Advisory (CSA-19-134-04)

Siemens LOGO!8 BM

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 9.4
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: LOGO!8 BM
  o Vulnerabilities: Missing Authentication for Critical Function, Improper
    Handling of Extra Values, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow device
reconfiguration, access to project files, decryption of files, and access to
passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens LOGO!8 BM, a programmable logic controller,
are affected:

  o Siemens LOGO!8 BM: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Attackers with access to Port 10005/TCP could perform device reconfigurations
and obtain project files from the devices.

CVE-2019-10919 has been assigned to this vulnerability. A CVSS v3 base score of
9.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:L ).

3.2.2 IMPROPER HANDLING OF EXTRA VALUES CWE-231

Project data stored on the device, which is accessible via Port 10005/TCP, can
be decrypted due to a hardcoded encryption key.

CVE-2019-10920 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.3 PLAINTEXT STORAGE OF A PASSWORD CWE-256

Unencrypted storage of passwords in the project could allow an attacker with
access to Port 10005/TCP to obtain passwords of the device.

CVE-2019-10921 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Transportation
    Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Manuel Stotz and Matthias Deeg from SySS GmbH reported these vulnerabilities to
Siemens.

4. MITIGATIONS

The LOGO!8 BM manual recommends protecting access to Port 10005/TCP.

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and
following the recommendations in the product manuals.

Additional information on industrial security for Siemens devices can be found
at:

https://www.siemens.com/industrialsecurity

For more information on these vulnerabilities and more detailed mitigation
instructions, please see Siemens Security Advisory SSA-542701 at the following
location:

http://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and
ensure that they are not accessible from the Internet .

  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-05)

Siemens SINAMICS PERFECT HARMONY GH180 Drives NXG I and NXG II

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SINAMICS PERFECT HARMONY GH180 Drives NXG I and NXG II
  o Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with
access to the Ethernet Modbus Interface to cause a denial-of-service condition
exceeding the number of available connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following SINAMICS PERFECT HARMONY GH180 products are affected:

  o SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2. . . -,
    6SR3. . . -, 6SR4. . . -: All versions with option G28
  o SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2. . . -,
    6SR3. . . -, 6SR4. . . -: All versions with option G28

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Successful exploitation requires no privileges and no user interaction. An
attacker with network access to the device could use the vulnerability to
compromise availability of the affected system.

CVE-2019-6578 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Healthcare and Public Health, Transportation Systems, Water and Wastewater
    Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to NCCIC.

4. MITIGATIONS

Siemens recommends that affected users upgrade to NXGpro control. Please
contact Siemens' customer service to obtain and install the upgrade.

Siemens has identified the following specific workarounds and mitigations that
users can apply to reduce the risk:

  o Install a protocol bridge that isolates the networks and eliminates direct
    connections to the Ethernet Modbus Interface.
  o Apply cell protection concept and implement defense in depth.

For more information see Siemens advisory SSA-606525 located at:

https://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-06)

Siemens SINAMICS PERFECT HARMONY GH180 Fieldbus Network

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SINAMICS PERFECT HARMONY GH180 Fieldbus Network
  o Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service
condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens has determined this vulnerability applies to the following medium
voltage converters:

  o SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2. . . -,
    6SR3. . . -, 6SR4. . . -: All versions with option G21, G22, G23, G26, G28,
    G31, G32, G38, G43 or G46
  o SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2. . . -,
    6SR3. . . -, 6SR4. . . -: All versions with option G21, G22, G23, G26, G28,
    G31, G32, G38, G43 or G46

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

An improperly configured parameter read/write execution via fieldbus network
may cause the controller to restart. An attacker with access to the fieldbus
network could cause a denial-of-service condition by sending specially crafted
packets.
The vulnerability could be exploited by an attacker with network access to the
device. Successful exploitation requires no privileges and no user interaction.
An attacker could use the vulnerability to compromise the availability of the
affected system.

CVE-2019-6574 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Healthcare and Public Health, Transportation Systems, Water and Wastewater
    Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to NCCIC.

4. MITIGATIONS

Siemens recommends users upgrade to NXGpro control. Please contact Siemens
customer service to obtain and install the upgrade.
Siemens has identified the following specific workarounds and mitigations that
users can apply to reduce the risk:

  o Disable the fieldbus parameter read/write functionality
  o Apply cell protection concept and implement defense in depth

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and to
following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For further inquiries about security vulnerabilities in Siemens products and
solutions, or for more information about this vulnerability and associated
software updates (outlined in SSA-865156), please contact the Siemens
ProductCERT through the website:

https://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-07)

Siemens SCALANCE W1750D

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SCALANCE W1750D
  o Vulnerabilities: Command Injection, Information Exposure, Cross-site
    Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker
execute arbitrary commands within the underlying operating system, discover
sensitive information, take administrative actions on the device, or expose
session cookies for an administrative session.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SCALANCE W1750D, a direct access point, are affected:

  o W1750D: All versions prior to 8.4.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 COMMAND INJECTION CWE-77

An unauthenticated user with access to the web interface can execute arbitrary
system commands within the underlying operating system, which may allow the
attacker to copy files, read configuration, write files, delete files, or
reboot the device.

CVE-2018-7084 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.2.2 INFORMATION EXPOSURE CWE-200

An unauthenticated attacker can access core dumps of previously crashed
processes through the web interface of the device, which may allow disclosure
of sensitive information.

CVE-2018-7083 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.3 INFORMATION EXPOSURE CWE-200
An unauthenticated user may retrieve recently cached configuration commands by
sending a crafted URL to the web interface of an affected device, which may
allow disclosure of sensitive information.

CVE-2018-16417 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.4 COMMAND INJECTION CWE-77

An authenticated administrative user can execute arbitrary commands on the
underlying operating system.

CVE-2018-7082 has been assigned to this vulnerability. A CVSS v3 base score of
7.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/
C:H/I:H/A:H ).

3.2.5 CROSS-SITE SCRIPTING CWE-79

If an attacker can trick an administrator into clicking a link, they could then
take administrative actions on the device or expose a session cookie for an
administrative session.

CVE-2018-7064 has been assigned to this vulnerability. A CVSS v3 base score of
6.4 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:H/I:L/A:L ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Healthcare and Public Health, Transportation Systems, and Water and
    Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Siemens recommends users upgrade to Version 8.4.0.1 or later, which can be
downloaded from the following link:

https://support.industry.siemens.com/cs/us/en/view/109766816/

Siemens has identified the following specific workarounds and mitigations that
users can apply to reduce the risk:

  o Restrict access to the web-based management interface to the internal or
    VPN network.
  o Do not browse other websites and do not click on external links while being
    authenticated to the administrative web interface.
  o Apply appropriate strategies for mitigation.

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security , and
following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on these vulnerabilities and associated software updates,
please see Siemens security advisory SSA-549547 on their website:

https://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-08)

Siemens SIMATIC PCS 7, WinCC, TIA Portal

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 9.1
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC PCS 7, WinCC Runtime Professional, WinCC (TIA Portal)
  o Vulnerabilities: SQL Injection, Uncaught Exception, Exposed Dangerous
    Method

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary commands on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens SIMATIC products are affected:

  o SIMATIC PCS 7 v8.0 and earlier
  o SIMATIC PCS 7 v8.1
  o SIMATIC PCS 7 v8.2
  o SIMATIC PCS 7 v9.0
  o SIMATIC WinCC (TIA Portal) v13
  o SIMATIC WinCC (TIA Portal) v14
  o SIMATIC WinCC (TIA Portal) v15
  o SIMATIC WinCC Runtime Professional, all versions
  o SIMATIC WinCC v7.2 and earlier
  o SIMATIC WinCC v7.3
  o SIMATIC WinCC v7.4
  o SIMATIC WinCC v7.5, all versions prior to v7.5, Update 3

3.2 VULNERABILITY OVERVIEW

3.2.1 SQL INJECTION CWE-89

An attacker with network access to the project file could run arbitrary system
commands with the privileges of the local database server. This may impact the
confidentiality, integrity, and availability of the affected system.

CVE-2019-10916 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/
C:H/I:H/A:H ).

3.2.2 UNCAUGHT EXCEPTION CWE-248

An attacker with local access to the project file could cause a
denial-of-service condition on the affected product as the project file is
loaded. Successful exploitation could compromise availability of the affected
system.

CVE-2019-10917 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:N/I:N/A:L ).

3.2.3 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

An authenticated attacker with network access to the DCOM interface could
execute arbitrary commands with SYSTEM privileges. Successful exploitation
could compromise confidentiality, integrity, and availability of the affected
system.

CVE-2019-10918 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
    Food and Agriculture, Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Vladimir Dashchenko and Sergey Temnikov from Kaspersky Lab, CNCERT/CC, and
ChengBin Wang from Guoli Security Technology reported these vulnerabilities to
Siemens.

4. MITIGATIONS

Siemens has an update available for this product:

  o SIMATIC WinCC v7.5: Updated to v7.5 Update 3

https://support.industry.siemens.com/cs/ww/en/view/109767227/

Siemens recommends users apply the following specific workarounds and
mitigations to reduce risk until updates or patches are available:

  o Apply defense-in-depth strategies.
  o Enable "Encrypted communication" in SIMATIC WinCC and SIMATIC PCS 7.
  o Only open project files from trusted locations.

As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure their
environment according to Siemens' operational guidelines for industrial
security and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on these vulnerabilities and more detailed mitigation
instructions, please see Siemens security advisory SSA-697412 at the following
location:

http://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

- -----------------------------------------------------------------------------

Advisory (ICSA-19-134-09)

Siemens SIMATIC Panels and WinCC (TIA Portal)

Original release date: May 14, 2019

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .

1. EXECUTIVE SUMMARY

  o CVSS v3 6.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC WinCC Runtime Advanced, WinCC Runtime Professional,
    WinCC (TIA Portal); HMI Panels
  o Vulnerabilities: Use of Hard-coded Credentials, Insufficient Protection of
    Credentials, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker with
network access to the device to read/write variables via SNMP.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens SIMATIC products are affected:

  o SIMATIC HMI Comfort Panels, 4" - 22"; all versions prior to v15.1 Update 1
  o SIMATIC HMI Comfort Outdoor Panels, 7" & 15"; all versions prior to v15.1
    Update 1
  o SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, KTP900F;all
    versions prior to v15.1 Update 1
  o SIMATIC WinCC Runtime Advanced; all versions prior to v15.1 Update 1
  o SIMATIC WinCC Runtime Professional; all versions prior to v15.1 Update 1
  o SIMATIC WinCC (TIA Portal); all versions prior to v15.1 Update 1
  o SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel); all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

The affected devices offer SNMP read/write capabilities with a hardcoded
community string, which may allow an attacker to read/write variables over
SNMP. This could compromise the confidentiality and integrity of the affected
system.

CVE-2019-6572 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:N ).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An attacker with network access could potentially obtain a TLS session key and
use it to decrypt TLS traffic. This could impact the confidentiality of
communications between the device and a legitimate user.

CVE-2019-6576 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.3 CROSS-SITE SCRIPTING CWE-79

The integrated web server could allow a cross-site scripting (XSS) attack if an
attacker is able to modify certain device configuration settings via SNMP. This
could impact confidentiality and integrity of the affected system.

CVE-2019-6577 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:C/
C:L/I:L/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
    Food and Agriculture, Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Siemens has updates at https://support.industry.siemens.com/cs/ww/en/view/
109763890/ for the following products:

  o SIMATIC HMI Comfort Panels, 4" - 22": Update SIMATIC WinCC (TIA Portal) to
    v15.1 Update 1 or newer; then update the panel to v15.1 Update 1 or newer
  o SIMATIC HMI Comfort Outdoor Panels, 7" & 15": Update SIMATIC WinCC (TIA
    Portal) to v15.1 Update 1 or newer; then update the panel to v15.1 Update 1
    or newer
  o SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, KTP900F":
    Update SIMATIC WinCC (TIA Portal) to v15.1 Update 1 or newer; then update
    the panel to v15.1 Update 1 or newer
  o SIMATIC WinCC Runtime Advanced: Update to v15.1 Update 1 or newer
  o SIMATIC WinCC Runtime Professional: Update to v15.1 Update 1 or newer
  o SIMATIC WinCC (TIA Portal): Update to v15.1 Update 1 or newer

Siemens recommends users apply these specific workarounds and mitigations to
reduce risk until an update is available or can be applied:

  o Restrict access to the web interface of the affected devices.
  o Restrict access to Port 161/UDP to trusted devices.

As a general security measure, Siemens recommends users configure their
environment according to Siemens' operational guidelines for industrial
security and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on these vulnerabilities and more detailed mitigation
instructions, please see Siemens security advisory SSA-307392 at the following
location:

http://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXNuF0maOgq3Tt24GAQgqwBAAt6vfvKFyU4uxI/Xk/vrrI6XS2P5LQ0ho
XXKBHTG2ZrnQg11R4L1iJZO1KPigwSazBNHfRzeDu40wvsbPoffxy7oehmEcyG7t
UcvZKG91LTmiZ20UAZBRsTCZK3yaR6pHs3fTWVzvUAL+mnC4f8UW2EGiUnAxq2Pm
UI/w7zw40T8qZVQmodOMfydc8E69XE3jFXB/VWjTC7kS/uPctNEfD50KaRgoaa/F
ovXPfBFiHpmYg7hytPeMkuMlRm1Kh7mJy8VAQCiH4YLjtk1v4Hjws/YZCgZrIali
7Dr5oOV3rYwKClQIHsJksLgIDuMoR8eI7RWDcgUv8gDNsLrQdzDXM+cc1I6NJo9X
nC5hcW0ZkIN+e/BNdXGBcWQqyuRLV9pIfjkP70igZ6kW7ITBG/sfYf2vMT3hIHi2
J2ZKBv+CjkMbz8JmWNo6KWnx1GvM5NNdI8n7jL8iySbpaj7E5bAHe18QzRROJASd
OiYlugNDNG/1tRosJH6jB0ZBwRIO15mv3nfbpCJyh1C182mHg9v6aXXrEPNqzrOL
yVwdNTWRtbh7TqQ2FRaEQwMmfHsYbgZwTY55IymqN/mOzVf+RXnGuDKySpztC4c8
9kU7QA5GYccJGSwYQrqKnsnw5n/je+Y5mSwlIEar1eGgvVvRuEpGOR+T+iK+vkwO
8JemVqKQToM=
=HT97
-----END PGP SIGNATURE-----