-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0486
            Siemens: Multiple Products:Multiple vulnerabilities
                             12 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Siemens: Multiple Products
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data        -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Administrator Compromise        -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-20046 CVE-2019-20045 CVE-2019-19282
                   CVE-2019-19277 CVE-2019-18217 CVE-2019-13946
                   CVE-2019-13941 CVE-2019-13940 CVE-2019-13926
                   CVE-2019-13925 CVE-2019-13924 CVE-2019-12815
                   CVE-2019-6585 CVE-2018-18065 CVE-2015-5621

Reference:         ESB-2016.0323
                   ESB-2016.0322
                   ESB-2016.0319

Original Bulletin: 
   https://www.us-cert.gov/ics/advisories/icsa-20-042-01
   https://www.us-cert.gov/ics/advisories/icsa-20-042-02
   https://www.us-cert.gov/ics/advisories/icsa-20-042-03
   https://www.us-cert.gov/ics/advisories/icsa-20-042-04
   https://www.us-cert.gov/ics/advisories/icsa-20-042-05
   https://www.us-cert.gov/ics/advisories/icsa-20-042-06
   https://www.us-cert.gov/ics/advisories/icsa-20-042-07
   https://www.us-cert.gov/ics/advisories/icsa-20-042-08
   https://www.us-cert.gov/ics/advisories/icsa-20-042-09
   https://www.us-cert.gov/ics/advisories/icsa-20-042-10

Comment: This bulletin contains ten (10) ICS-CERT security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-20-042-01)

Synergy Systems & Solutions HUSKY RTU

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Synergy Systems & Solutions (SSS)
  o Equipment: HUSKY RTU
  o Vulnerabilities: Improper Authentication, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to
read sensitive information, execute arbitrary code, or cause a
denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of HUSKY RTU, a remote terminal unit, are affected:

  o HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

The affected product does not require adequate authentication, which may allow
an attacker to read sensitive information or execute arbitrary code.

CVE-2019-20046 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Specially crafted malicious packets could cause disconnection of active
authentic connections or reboot of device.

CVE-2019-20045 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems
  o COUNTRIES/AREAS DEPLOYED: Asia
  o COMPANY HEADQUARTERS LOCATION: India

3.4 RESEARCHER

The VAPT Team, C3i Center, IITK, UP, India, reported to CISA that they had
coordinated these vulnerabilities directly with SSS.

4. MITIGATIONS

SSS makes the following recommendations to mitigate risk.

  o Upgrade to firmware Version 5.1.2 or higher. Consult with SSS for possible
    issues during upgrade, prior to implementing this recommendation.
  o Implement network segmentation and firewall policies to reduce exposure of
    the RTU to uncontrolled and unprotected access.
  o Follow recommended security practices and configure firewalls to help
    protect an industrial control network from attacks that originate from
    outside the network. Such practices include ensuring that protection,
    control, and automation systems are physically protected from direct access
    by unauthorized personnel, have no direct connections to the Internet, are
    separated from other networks by means of a firewall system that has a
    minimal number of ports exposed, and other practices to be evaluated case
    by case.
  o Do not allow the use of protection, control, and automation systems for
    Internet surfing, instant messaging, or receiving e-mails.
  o Block all nontrusted IP communications.
  o Configure trusted IP address access (IP whitelisting) in the RTU
    configuration for IEC-104 protocol to restrict hosts that can access the
    RTU.
  o Implement passwords in the RTU to restrict access to the RTU, via Husky
    Studio.
  o If possible, set up an SSL tunnel between the RTU and control center to
    restrict access to the RTU.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ------------------------------------------------------------------------------

ICS Advisory (ICSA-20-042-02)

Siemens Industrial Products SNMP Vulnerabilities

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: Various SCALANCE, SIMATIC, SIPLUS products
  o Vulnerabilities: Data Processing Errors, NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote attackers
to conduct a denial-of-service attack by sending specially crafted packets to
Port 161/UDP (SNMP).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

  o IE/PB LINK PN IO (including SIPLUS NET variants): All versions
  o SCALANCE S602: All versions
  o SCALANCE S612: All versions
  o SCALANCE S623: All versions
  o SCALANCE S627-2M: All versions
  o SIMATIC CP 1623: All versions prior to Version 14.00.15.00_51.25.00.01
  o SIMATIC CP 1626: All versions
  o SIMATIC CP 1628: All versions prior to Version 14.00.15.00_51.25.00.01
  o SIMATIC CP 343-1 Advanced (including SIPLUS NET variants): All versions
  o SIMATIC CP 443-1 (including SIPLUS NET variants): All versions
  o SIMATIC CP 443-1 Advanced (including SIPLUS NET variants): All versions
  o SIMATIC CP 443-1 OPC UA: All versions
  o TIM 1531 IRC (including SIPLUS NET variants): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 DATA PROCESSING ERRORS CWE-19

An error in the message handling of SNMP messages allows remote attackers to
cause a denial-of-service condition and execute arbitrary code via a crafted
packet sent on Port 161/UDP (SNMP).

CVE-2015-5621 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.2.2 NULL POINTER DEREFERENCE CWE-476

A NULL pointer exception bug within the SMNP handling code allows authenticated
attacker to remotely cause a denial-of-service condition via a crafted packet
sent on Port 161/UDP (SNMP).

CVE-2018-18065 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Healthcare and Public Health, Transportation Systems, and Water and
    Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Artem Zinenko of Kaspersky Lab reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has released updates for several affected products and recommends users
update to the new version. Siemens is preparing further updates and recommends
specific countermeasures until patches are available.

  o For SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M products, migrate to
    SCALANCE SC-600 Industrial Security Appliances.
  o For SIMATIC CP 1623 and SIMATIC CP 1628, update to SIMATIC NET PC Software
    Version 16
  o For TIM 1531 IRC or SIPLUS NET variants, update to Version 2.0

Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o Disable SNMP if this is supported by the product (refer to the product
    documentation). Disabling SNMP fully mitigates these vulnerabilities.
  o Protect network access to Port 161/UDP of affected devices.
  o Apply cell protection concept and implement defense-in-depth .
  o Use VPN for protecting network communication between cells.

As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity .

For more information on the vulnerabilities and detailed mitigation
instructions, please see Siemens security advisory SSA-978220

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-03)

Siemens SIMATIC CP 1543-1

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC CP 1543-1
  o Vulnerabilities: Improper Access Control, Loop with Unreachable Exit
    Condition

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow for remote code
execution and information disclosure without authentication, or unauthenticated
denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SIMATIC CP 1543-1, including SIPLUS NET
variants, are affected:

  o All versions starting at 2.0 and prior to 2.2

3.2 VULNERABILITY OVERVIEW

3.2.1 I MPROPER ACCESS CONTROL CWE-284

An arbitrary file copy vulnerability in mod_copy of the embedded FTP server
allows for remote code execution and information disclosure without
authentication.

CVE-2019-12815 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.2.2 LOOP WITH UNREACHABLE EXIT CONDITION CWE-835

Incorrect handling of overly long commands in the embedded FTP server allow an
attacker to cause a denial-of-service condition by entering an infinite loop.

CVE-2019-18217 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture,
    Healthcare and Public Health, Transportation Systems, and Water and
    Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

The latest update for SIMATIC CP 1543-1 contains fixes for the vulnerabilities
within its embedded ProFTPD FPT server. Siemens recommends updating SIMATIC CP
1543-1 modules to Version 2.2

Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o Disable the embedded FTP server. The server is deactivated in the default
    configuration.
  o Limit access to Port 21/TCP to trusted IP addresses.

As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity .
For more information on the vulnerabilities and detailed mitigation
instructions, please see Siemens security advisory SSA-940889

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ---------------------------------------------------------------------------------

ICS Advisory (ICSA-20-042-04)

Siemens PROFINET-IO Stack

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: Siemens PROFINET-IO Stack
  o Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a denial-of-service
condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Products that include the Siemens PROFINET-IO (PNIO) stack in versions prior to
v06.00 are affected. Additionally, Siemens recommends other vendors of PROFINET
devices check their products for vulnerable versions of the Siemens PNIO stack
as part of the Siemens Development/Evaluation Kits.

  o Development/Evaluation Kits for PROFINET IO:
       DK Standard Ethernet Controller: all versions
       EK-ERTEC 200: all versions prior to 4.5
       EK-ERTEC 200P: all versions prior to 4.6
  o PROFINET Driver for Controller: all version prior to 2.1
  o RUGGEDCOM RM1224: all versions prior to 4.3
  o SCALANCE M-800 / S615: all versions prior to 4.3
  o SCALANCE W700 IEEE 802.11n: all versions prior to 6.0.1
  o SCALANCE X-200 switch family (incl. SIPLUS NET variants): all versions
  o SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): all versions
    prior to 5.3
  o SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): all
    versions
  o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: all versions prior
    to 3.0
  o SCALANCE XM-400 switch family: all versions prior to 6.0
  o SCALANCE XR-500 switch family: all versions prior to 6.0
  o SIMATIC CP 1616 and CP 1604: all versions prior to 2.8
  o SIMATIC CP 343-1 (incl. SIPLUS NET variants): all versions
  o SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variants): all versions
  o SIMATIC CP 343-1 ERPC: all versions
  o SIMATIC CP 343-1 LEAN (incl. SIPLUS NET variants): all versions
  o SIMATIC CP 443-1 (incl. SIPLUS NET variants): all versions
  o SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variants): all versions
  o SIMATIC CP 443-1 OPC UA: all versions
  o SIMATIC ET200AL IM 157-1 PN: all versions
  o SIMATIC ET200M IM153-4 PN IO HF (incl. SIPLUS variants): all versions
  o SIMATIC ET200M IM153-4 PN IO ST (incl. SIPLUS variants): all versions
  o SIMATIC ET200MP IM155-5 PN HF (incl. SIPLUS variants): all versions prior
    to 4.2.0
  o SIMATIC ET200MP IM155-5 PN ST (incl. SIPLUS variants): all versions prior
    to 4.1.0
  o SIMATIC ET200S (incl. SIPLUS variants): all versions
  o SIMATIC ET200SP IM155-6 PN Basic (incl. SIPLUS variants): all versions
  o SIMATIC ET200SP IM155-6 PN HF (incl. SIPLUS variants): all versions prior
    to 3.3.1
  o SIMATIC ET200SP IM155-6 PN ST (incl. SIPLUS variants): all versions prior
    to 4.1.0
  o SIMATIC ET200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0): all
    versions
  o SIMATIC ET200pro, IM 154-3 PN HF: all versions
  o SIMATIC ET200pro, IM 154-4 PN HF: all versions
  o SIMATIC IPC Support, Package for VxWorks: all versions
  o SIMATIC MV400 family: all versions
  o SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (incl. SIPLUS NET variant): all
    versions
  o SIMATIC RF180C: all versions
  o SIMATIC RF182C: all versions
  o SIMATIC RF600 family: all versions prior to 3
  o SINAMICS DCP: all versions prior to 1.3

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Profinet-IO (PNIO) stack versions prior v06.00 do not properly limit internal
resource allocation when multiple legitimate diagnostic package requests are
sent to the DCE-RPC interface. This could lead to a denial-of-service condition
due to lack of memory for devices that include a vulnerable version of the
stack.

CVE-2019-13946 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Yuval Ardon and Matan Dobrushin of OTORIO reported this vulnerability to CISA
and Siemens.

4. MITIGATIONS

Siemens has released updates for several affected products and recommends users
update to the new version. Siemens is preparing further updates and recommends
specific countermeasures until patches are available.

  o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200: Update to v4.5
    Patch 01
  o Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P: Update to v4.6
  o PROFINET Driver for Controller: Update to v2.1 Patch 03
  o SCALANCE M-800 / S615: Update to v6.1.2
  o SCALANCE W700 IEEE 802.11n: Update to v6.4
  o SCALANCE X-200IRT switch family: Update to v5.4.2
  o SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: Update to v4.1
  o SCALANCE XM-400 switch family: Update to v6.2.3
  o SCALANCE XR-500 switch family: Update to v6.2.3
  o SIMATIC CP 1616 and CP 1604: Update to v2.8.1
  o SIMATIC ET200MP IM155-5 PN HF: Update to v4.2.0
  o SIMATIC ET200MP IM155-5 PN ST: Update to v4.1.0
  o SIMATIC ET200SP IM155-6 PN HF: Update to v4.2.2
  o SIMATIC ET200SP IM155-6 PN ST: pdate to v4.1.0
  o SIMATIC RF600 family: Update to v3.2.1
  o SINAMICS DCP: Update to v1.3

Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o If possible, disable PROFINET
  o SCALANCE M-800 / S615 and RUGGEDCOM RM1224: Create a firewall rule that
    blocks the PROFINET Context Manager port (34964/UDP).

As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity

For more information on the vulnerability and more detailed mitigation
instructions, please see Siemens security advisory SSA-780073

For more information on this vulnerability see also ICS Advisory ICSA-19-353-01
Moxa EDS Ethernet Switches .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- -------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-05)

Siemens SIMATIC S7

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 5.3
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC S7
  o Vulnerability: Uncontrolled Resource Consumption (Resource Exhaustion)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote attackers to
perform a denial-of-service attack by sending a specially crafted HTTP request
to the web server of an affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SIMATIC S7 devices are affected:

  o SIMATIC S7-1200 CPU family (incl. SIPLUS variants) all versions prior to
    v4.1
  o SIMATIC S7-300 PN/DP CPU family (incl. related ET200 CPUs and SIPLUS
    variants) all versions
  o SIMATIC S7-400 PN/DP v6 and below CPU family (incl. SIPLUS variants) all
    versions
  o SIMATIC S7-400 PN/DP v7 CPU family (incl. SIPLUS variants) all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION ('RESOURCE EXHAUSTION') CWE-400

Affected devices contain a vulnerability that could cause a denial-of-service
condition of the web server by sending specially crafted HTTP requests to Ports
80/TCP and 443/TCP.

CVE-2019-13940 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:L ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
    Food and Agriculture, Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

China Industrial Control Systems Cyber Emergency Response Team (CIC) reported
this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o Restrict access to the device to the internal or VPN network. Further, if
    possible, restrict access to the web server (80/TCP, 443/TCP) to trusted IP
    addresses.
  o If possible, disable the integrated web server. The web server is disabled
    in the default settings and its use is optional.
  o For SIMATIC S7-1200 CPU family (including SIPLUS variants) Siemens
    recommends affected users update to v4.1 or any later version.

For more information on this vulnerability and associated software updates,
please see Siemens security advisory SSA-431678

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-06)

Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC
  o Vulnerability: Incorrect Calculation of Buffer Size

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with
network access to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SIMATIC software are affected:

  o OpenPCS 7 v8.1 all versions
  o OpenPCS 7 v8.2 all versions
  o OpenPCS 7 v9.0 all versions
  o SIMATIC BATCH v8.1 all versions
  o SIMATIC BATCH v8.2 all versions
  o SIMATIC BATCH v9.0 all versions
  o SIMATIC NET PC Software all versions
  o SIMATIC PCS 7 v8.1 all versions
  o SIMATIC PCS 7 v8.2 all versions
  o SIMATIC PCS 7 v9.0 all versions
  o SIMATIC Route Control v8.1 all versions
  o SIMATIC Route Control v8.2 all versions
  o SIMATIC Route Control v9.0 all versions
  o SIMATIC WinCC (TIA Portal) v13 all versions prior to v13 SP2
  o SIMATIC WinCC (TIA Portal) v14.0.1 all versions
  o SIMATIC WinCC (TIA Portal) v15.1 all versions
  o SIMATIC WinCC (TIA Portal) v16 all versions
  o SIMATIC WinCC v7.3 all versions
  o SIMATIC WinCC v7.4 all versions
  o SIMATIC WinCC v7.5 all versions prior to v7.5.1 Upd1

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT CALCULATION OF BUFFER SIZE CWE-131

Through specially crafted messages, when encrypted communication is enabled, an
attacker with network access could compromise the availability of the system by
causing a denial-of-service condition.

CVE-2019-19282 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
    Food and Agriculture, Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nicholas Miles from Tenable reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations:

  o Apply cell protection concept
  o Use VPN for protecting network communication between cells
  o Apply Defense-in-Depth

For SIMATIC WinCC (TIA Portal) v13, Siemens recommends affected users update to
v13 SP2 or higher .
For SIMATIC WinCC v7.5, Siemens recommends affected users update to v7.5.1 Upd1
or higher .
For more information on this vulnerability and associated software updates,
please see Siemens security advisory SSA-270778

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ---------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-07)

Siemens SCALANCE X Switches

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 4.2
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SCALANCE X switches
  o Vulnerability: Protection Mechanism Failure

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to
perform administrative actions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SCALANCE X Switches, used to connect industrial
components, are affected:

  o SCALANCE X-200 switch family (including SIPLUS NET variants): All versions
    prior to Version 5.2.4
  o SCALANCE X-200IRT switch family (including SIPLUS NET variants): All
    versions
  o SCALANCE X-300 switch family (including X408 and SIPLUS NET variants): All
    versions prior to Version 4.1.3

3.2 VULNERABILITY OVERVIEW

3.2.1 PROTECTION MECHANISM FAILURE CWE-693

The device does not send the X-Frame-Option header in the administrative web
interface, which makes it vulnerable to click-jacking attacks.

CVE-2019-13924 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:N/I:L/A:L ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o C OUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released updates, which are recommended to be applied when
possible:

  o SCALANCE X-200 switch family (including SIPLUS NET variants): Version 5.2.4
  o SCALANCE X-300 switch family (including X408 and SIRPLUS NET variants):
    Version 4.1.3

Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o Only access links from trusted sources in the browser you use to configure
    the SCALANCE X switches.

As a general security measure, Siemens strongly recommends users protect
network access to devices with appropriate mechanisms. In order to operate the
devices in a protected IT environment, Siemens recommends users configure the
environment according to Siemens' operational guidelines for Industrial
Security , and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity

For more information see Siemens security advisory SSA-951513

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-08)

Siemens SIPORT MP

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 6.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: SIPORT MP
  o Vulnerability: Insufficient logging

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow the attacker to
create special accounts with administrative privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

  o SIPORT MP: All versions prior to 3.1.4 are affected

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT LOGGING CWE-778

Vulnerable versions of the device allow the creation of special accounts
(service users) with administrative privileges that could enable a remote
authenticated attacker to perform actions that are not visible to other users
of the system, such as granting persons access to a secured area.

CVE-2019-19277 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/C:H/
I:H/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government
    Facilities
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens recommends users to update to Version 3.1.4 (login required).
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o For SIPORT MP Versions 3.0.x, apply the latest hotfix for Version 3.0.3
  o For SIPORT MP Versions 2.2 and later, apply the SIPORT_CleanUsers tool .

As a general security measure Siemens strongly recommends users protect network
access to affected products with appropriate mechanisms. It is advised to
follow recommended security practices in order to run the devices in a
protected IT environment.

Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity

For more information see the Siemens security advisory .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ------------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-09)

Siemens OZW Web Server

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 5.3
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Siemens
  o Equipment: OZW web server
  o Vulnerability: Information disclosure

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow unauthenticated users
to access project files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of OZW web server are affected:

  o OZW672 and OZW772: All versions prior to 10.0

3.2 VULNERABILITY OVERVIEW

3.2.1 INFORMATION DISCLOSURE CWE-552

Vulnerable versions of OZW web server use predictable path names for project
files that legitimately authenticated users have created by using the
application's export function. By accessing a specific uniform resource locator
on the web server, a remote attacker could be able to download a project file
without prior authentication.

CVE-2019-13941 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS : Commercial Facilities, Government
    Facilities
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Maxim Rupp reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens recommends users to update OZW672 and OZW772 to version 10.0
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:

  o Configure the product according to the OZW hardening guidelines .
  o Restrict access to the device to the internal or VPN network. Further, if
    possible, restrict access to the OZW Web Server to trusted IP addresses.

As a general security measure Siemens strongly recommends users protect network
access to affected products with appropriate mechanisms. It is advised to
follow recommended security practices in order to run the devices in a
protected IT environment.

For more information refer to SSA-986695 .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- ----------------------------------------------------------------------------
ICS Advisory (ICSA-20-042-10)

Siemens SCALANCE S-600

Original release date: February 11, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely
  o Vendor: Siemens
  o Equipment: SCALANCE S-600 Firewall
  o Vulnerabilities: Resource Exhaustion, Cross-site Scripting

2. RISK EVALUATION

These vulnerabilities could allow a remote attacker to conduct
denial-of-service or cross-site scripting attacks. User interaction is required
for a successful exploitation of the cross-site-scripting attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SCALANCE S-600, are affected:

  o SCALANCE S602, all versions v3.0 or higher
  o SCALANCE S612, all versions v3.0 or higher
  o SCALANCE S623, all versions v3.0 or higher
  o SCALANCE S627-2M, all versions v3.0 or higher

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-80

The integrated configuration web server of the affected devices could allow
cross-site scripting (XSS) attacks if unsuspecting users are tricked into
accessing a malicious link.

CVE-2019-6585 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:L/I:L/A:N ).

3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Specially crafted packets sent to Port 443/TCP of affected devices could cause
a denial-of-service condition of the web server.

CVE-2019-13925 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Specially crafted packets sent to Port 443/TCP of affected devices could cause
a denial-of-service condition of the web server. A cold reboot is required to
restore the functionality of the device.

CVE-2019-13926 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Information Technology
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Melih Berk Eksioglu reported some of these vulnerabilities to Siemens.

4. MITIGATIONS

For SCALANCE S602 v3.0, Siemens recommends only accessing links from trusted
sources in the browser you use to access the SCALANCE S administration website.

For SCALANCE S612, all versions v3.0 or higher, SCALANCE S623, all versions
v3.0 or higher, and SCALANCE S627-2M, all versions v3.0 or higher, Siemens
recommends migrating to SCALANCE SC-600 Industrial Security Appliances.

For more information on these vulnerabilities and associated software updates,
please see Siemens security advisory SSA-591405

CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should take the
following measures to protect themselves from social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXkOI2maOgq3Tt24GAQiXERAAou/sxotdtbZA//bQ1gaKBEdkZpXcTDzq
0xuOGNOU/VbEOEh/NNCCVTuYf9UbwTEowxk0f33VbCbnhkgLSB9gFrktzK7yVqVR
OzWfJ3Y/xq6Otapto9IErX5NKZWlosqwRIV2YbPqA29vfjqEv6nO3oJiCXScRp8F
OvkInrBMgAmy6p44+cIBzMoKc7nVbsePDh0ZgyYDdeRbcceo8mhypvzkKKxcfK1Y
WrTULlfn4zC6prav6zm4B1kxiKAZeH2qJqi2H4MyhdtGcqihZnF/8WGo7+XgO5te
yKOyhubBDP7Y4KjUQ0fVyKibnFhecjSRxNJULQPpQvku89ai63JUGiOJNmWYEwBi
1/8zPM1ivk/NHMMtrxZ8tN12nwopvjQ0E+ofmLuV8nouiW49SOMhGvGHBFGTdjaR
uhH7HVQ5TPCFveMhxx3YKAkXDOWDYA4F0MerfeMueRaNEO6puRoLcPnPBZHKFiBY
lbE7cbL3kII+NH7inEy7teCAzaXpr0ESwDSu7028qMV5hnfWRj36cQVE2ipY9bwE
kz2TbU8hfE7+atVScK1TCqMO+ygip+ndV/KOnWIB0jNh5lfhvh1Lhg7uT0q2d1TK
3Rzo+ie9GfXrUn8Ny7oDXekJeQ5+PeiU0BFmW8sYcz2/Vd76MUZToYDl6iBqx66l
JhCN7SyX/gU=
=huuC
-----END PGP SIGNATURE-----