A Siemens SIMATIC conundrum: authentication bypass bungling
In yet another case of vendors gone wild @XSSniper (Billy Rios) dropped an interesting post yesterday well worthy of ISC Diary reader scrutiny. Slashdot and Twitter are buzzing and Johannes' ISC StormCast for today discusses the issue as well.
In case you missed it, in May 2011 Billy responsibly reported an authentication bypass flaw for Siemens SIMATIC systems. Long story short (read the article for yourself), said flaw could lead to gaining "remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world." Yet, according to Siemens there are "no open issues regarding authentication bypass bugs."
Hmm...forgive me in advance for shamelessly repeating Billy's use of the classic yet irresistible pop culture reference, but this does indeed appear to be a case of "these aren't the vulns you're looking for."
On December 9th, ICS-CERT issued an alert warning control system owners and operators of control system Internet accessibility discovery via SHODAN to locate Internet facing control systems. One need only execute the Shodan query mentioned in Billy's post to grasp the issue.
Control system owners might consider, as LostCluster commented on Slashdot, "losing the remote." Web access to control systems? As Forrest said, "I'm not a smart man," but if I've done my math correctly at least four of the SANS 20 Critical Security Controls should give pause regarding remote (web) access to control systems. Or is it five? :-)
For Siemens and other vendors, please remember that coordinated disclosure is a two-way process. Researcher finds bug, researcher reports bug, vendor acknowledges report, vendor takes some time to fix bug (yes, sometimes a long time), vendor releases fix, everyone is happy. Yet, as it seems in this case, recalling another pithy and apropos modern analogy, it appears that "what we've got here is a failure to communicate."
All humor and witty repartee aside, the implications are simple. Life and death potentially hangs in the balance between coordinated disclosure and timely repair of control system vulnerabilities. And you can quote me on that.
What say you? Comments welcome.
UPDATE 12/22/11
From Siemens:
"Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities."
Firefox 9 Security Fixes
We had a "one liner" about the Firefox 9 update already. But I wanted to take a couple more lines to highlight some of the flaws fixed in Firefox 9, which I think belong in the "we told you so" category. By "we" I am not referring to the ISC, but to the large number of articles talking about HTML 5 security.
One problem that was pointed out by various people is the fact that the addition of the <video> and <audio> tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues. Some of the Firefox 9 fixes illustrate this problem:
MFSA 2011-58: Crash scaling <video> to extreme sizes (effects OGG formated videos)
MFSA 2011-56: nsSVGValue out-of-bounds access
These two vulnerabilities are rated as critical by Mozilla.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments