Siemens SIMATIC HMI Authentication Vulnerabilities
December 22, 2011
Independent security researchers Billy Rios and Terry
McCorkle has issued a public report concerning
authentication bypass vulnerabilities affecting Siemens
SIMATIC HMI products which are supervisory control and data
acquisition/human-machine interface (SCADA/HMI) products.
According to this report, systems running affected versions
of this product are accessible using a default username and
password. These systems also generate an insecure
authentication token for browser sessions. Prior to public
disclosure, the researchers notified ICS-CERT of the
vulnerabilities. ICS-CERT is continuing to coordinate
mitigations with the researchers and Siemens.
The authentication token/cookie values set when a user
(administrator) logs are predictable when non-encrypted HTTP
communication is used. This can allow for an attacker to
bypass authentication checks and escalate privileges.
There is a default administrator password, which is weak and
easily bruteforced or guessed. Siemens has changed the
documentation to encourage the user to change the password
upon first login.
Successful exploitation of these vulnerabilities could allow
a hacker to log into a vulnerable system as a user or
administrator.
Affected products include:
- SmartAccess option package for SIMATIC WinCC
flexible RT
2004, 2005, 2005 SP1, 2007, 2008, 2008 SP1, and 2008 SP2
- SIMATIC WinCC Runtime Advanced V11, V11 SP1, and V11
SP2
- Multiple SIMATIC Panels (TP, OP, MP, Mobile,
Comfort)
Siemens was previously aware of these vulnerabilities and
intends to address them in Service Packs to be released in
January 2012. Siemens has also updated its product
documentation with instructions for configuring a strong
password and removing default passwords during initial
setup.
The authentication token generation vulnerability will be
addressed by Siemens in its “SIMATIC WinCC V11.0 SP 2 Update
1,” which is to be released on January 13, 2012 or “SIMATIC
WinCC flexible 2008 SP3” which is to be released on January
18, 2012.
SCADAhacker
comment:
This information was also critical in the recently announced
breach of a water utility in South Houston, TX by a person
known as "pr0fs". It is believed that these passwords
disclosed in the report by Rios and McCorkle were also used
by pr0fs when he disclosed information of the vulnerability
sites that he was able to pepetrate and obtain screen
captures.
Billy Rios and Terry McCorkle presented at DerbyCon 2011 a
session entitled "100 Bugs in 100 Days: An Analysis of ICS
(SCADA) Software". You can view the presentation by
clicking here.