ICS-CERT: Siemens Simatic Step 7 DLL Vulnerability

Wednesday, July 25, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

Siemens self-reported a DLL hijacking vulnerability in SIMATIC STEP 7 and SIMATIC PCS 7 software. Previous versions of SIMATIC STEP 7 and PCS 7 allowed the loading of malicious DLL files into the STEP 7 project folder that can be used to attack the system on which STEP 7 is installed.

This vulnerability can be remotely exploited and public exploits are known to target this vulnerability. Siemens has produced a patch that resolves this vulnerability.

Note: This advisory together with advisory “ICSA-12-205-01 Siemens WinCC Insecure SQL Authentication" describes steps taken by Siemens in 2010 and 2011 to address vulnerabilities first discovered in 2010. The vulnerability described in this advisory was addressed by a Siemens software update in 2011.

The following Siemens products and versions are affected:

• SIMATIC STEP 7 versions prior to V5.5 Service Pack 1 (5.5.1 equivalent), and
• SIMATIC PCS 7 versions before and including V7.1 SP3

IMPACT

An attacker can execute arbitrary code by exploiting this vulnerability.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Siemens SIMATIC STEP 7 and PCS 7 software is used to configure and manage Siemens SIMATIC S7 PLCs. Siemens SIMATIC S7 PLCs are used in a variety of industrial applications worldwide, including energy, water and wastewater, oil and gas, chemical, building automation, and manufacturing.

VULNERABILITY OVERVIEW

DLL LOADING MECHANISM VULNERABILTY:  SIMATIC STEP 7 supports the loading of DLL files in STEP 7 project folders, which can be used within an attack against systems where STEP 7 is installed. An attacker can place arbitrary library files into STEP 7 project folders that will be loaded on STEP 7 startup without validation. The code will be executed with the permissions of the STEP 7 application. CVE-2012-3015 has been assigned to this vulnerability. A CVSS v2 base score of 6.9 has been assigned; the CVSS vector string is (AV:L/AC:M/Au:N/C:C/I:C/A:C).

EXPLOITABILITY:  This vulnerability can be remotely exploited.

EXISTENCE OF EXPLOIT:  Public exploits are known to target this vulnerability.

DIFFICULTY:  An attacker with a medium skill level would be able to exploit these vulnerabilities.

MITIGATION

Siemens has provided the STEP 7 software update V5.5 SP1 (equivalent to V5.5.1) that resolves the vulnerability, but recommends that the latest Service Pack, V5.5 SP2, be installed as soon as possible. SIMATIC PCS 7 users should also apply this update.

The updates implement a mechanism that rejects DLLs in the STEP 7 project folders, which contain executable code, thus preventing unintended execution of unchecked code. For further information please review the Siemens Security Advisory (SSA-027884) that can be found at the Siemens ProductCERT Web site.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-205-02.pdf

Possibly Related Articles:
9757
SCADA
Industrial Control Systems
SCADA Exploits Siemens ICS-CERT Industrial Control Systems vulnerability DLL Hijack Simatic Step 7
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.