Full Report
US ICS-СERT has published an advisory on fixes for a vulnerability in Siemens industrial products using the Discovery Service of the OPC UA protocol stack.
Analysis Summary
# Vulnerability: XXE in Siemens OPC UA Stack Discovery Service
## CVE Details
- **CVE ID:** CVE-2017-12741
- **CVSS Score:** 4.3 (Medium)
- **CWE:** CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
- **Products:** Various Siemens industrial products utilizing the OPC UA (Open Platform Communications Unified Architecture) stack.
- **Versions:**
- SIMATIC S7-1500 (All versions prior to v2.1)
- SIMATIC S7-1200 (All versions prior to v4.2.1)
- SIMATIC S7-1500 Software Controller (All versions prior to v2.1)
- SIMATIC WinCC Runtime Advanced (All versions prior to v14 SP1)
- SINUMERIK 840D sl (Versions depending on the underlying PLC)
- **Configurations:** Systems where the OPC UA Discovery Service is enabled and reachable over the network.
## Vulnerability Description
The vulnerability is an XML External Entity (XXE) flaw located within the Discovery Service of the OPC UA protocol stack used by Siemens. The stack's XML parser fails to properly filter or restrict external entity references in specially crafted XML files. An attacker can exploit this by sending a malicious XML request to the Discovery Service.
## Exploitation
- **Status:** Not reported as exploited in the wild at the time of disclosure; PoC exists internally for research.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Potential for Information Disclosure/Server-Side Request Forgery)
- **Integrity:** None
- **Availability:** Low (Potential for Denial of Service through resource exhaustion)
## Remediation
### Patches
Siemens released firmware and software updates to address the underlying stack vulnerability:
- **SIMATIC S7-1500:** Upgrade to v2.1 or later.
- **SIMATIC S7-1200:** Upgrade to v4.2.1 or later.
- **SIMATIC WinCC Runtime Advanced:** Upgrade to v14 SP1 or later.
- **SIMATIC S7-1500 Software Controller:** Upgrade to v2.1 or later.
### Workarounds
- **Disable Neutral Services:** If the OPC UA Discovery Service is not required for operations, disable it to close the attack vector.
- **Network Segmentation:** Restrict access to the OPC UA ports (typically TCP/4840) to trusted IP addresses and authorized management consoles only.
- **Firewall Filtering:** Use deep packet inspection (DPI) capable industrial firewalls to monitor and filter OPC UA traffic.
## Detection
- **Indicators of Compromise:** Unusual outbound requests from the PLC/HMI (potential SSRF), or spikes in CPU usage related to the OPC UA service.
- **Detection methods and tools:** Monitoring of network traffic for malformed XML payloads directed at the OPC UA Discovery Service.
## References
- Siemens Security Advisory (SSA-273656): hxxps[://]siemens[.]com/cert/advisories/
- US ICS-CERT Advisory (ICSA-17-222-05): hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-17-222-05
- Kaspersky ICS CERT Analysis: hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2017/09/07/closing-an-xxe-vulnerability-in-siemens-industrial-solutions/