Siemens SIMATIC NET PC-Software Denial-of-Service Vulnerability
ICSA： ICS Advisory (ICSA-16-208-02)
Siemens has identified a denial-of-service vulnerability in SIMATIC NET PC-Software. Vladimir Dashchenko and Sergey Temnikov from Kaspersky Labs reported this issue directly to Siemens. Siemens has produced a new version to mitigate this vulnerability.
This vulnerability could be exploited remotely.
Siemens reports that the vulnerability affects the following SIMATIC products:
- SIMATIC NET PC-Software: All versions prior to V13 SP2
A successful exploit of this vulnerability could cause a denial-of-service condition that would require a manual restart to recover.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Siemens is a multinational company headquartered in Munich, Germany.
The affected product, the Siemens SIMATIC NET PC-Software, is designed for communication between controllers (PLCs) and PC-based solutions (HMIs). According to Siemens, the SIMATIC NET PC-Software is deployed across several sectors including Chemical, Critical Manufacturing, and Food and Agriculture. Siemens estimates that this product is used worldwide.
Specially crafted packets sent to several ports (Port 55101/TCP through Port 55105/TCP, Port 4845/TCP, and Port 4847/TCP through Port 4850/TCP) could cause a denial-of-service of the OPC-Unified Architecture (UA) service. A manual restart of the service is required to recover the system.
This vulnerability could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with a low skill would be able to exploit this vulnerability.
Siemens provides SIMATIC NET PC-Software V13 SP2, which fixes the vulnerability, and recommends users upgrade to the new version. SIMATIC NET PC-Software V13 SP2 can be obtained by contacting your local Siemens representative or customer support.
If OPC-UA is not required, Siemens recommends deactivating these in the communication settings according to the information in the respective product manual.
As a general security measure, Siemens strongly recommends protecting network access to SIMATIC NET PC-Software services with appropriate mechanisms. It is advised to configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.
For more information on this vulnerability and detailed instructions, please see Siemens Security Advisory SSA-453276 at the following location:
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Monitor traffic to Port 55101/TCP through Port 55105/TCP, Port 4845/TCP, and Port 4847/TCP through Port 4850/TCP on the affected devices. Restrict access if not needed.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'), http://cwe.mitre.org/data/definitions/400.html, web site last accessed July 26, 2016.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5874, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, web site last accessed July 26, 2016.