Full Report
[Control systems] Siemens security advisory (AV26-566)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Siemens Industrial Products (AV26-566)
## CVE Details
*Note: This advisory covers multiple CVEs across different product lines.*
- **CVE-ID:** CVE-2024-27348 (Example from SINEC INS), CVE-2024-4713 (Example from WinCC), and others including OpenSSL-related vulnerabilities.
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-120 (Buffer Overflow), CWE-434 (Unrestricted Upload), CWE-522 (Insufficient Protection of Credentials)
## Affected Systems
- **SINEC INS:** Versions prior to V1.0 SP2 Update 6
- **SIPROTEC 5 (CP100 / CP150 / CP200 / CP300 / Devices):** All versions
- **SIPROTEC 5 Compact 7SX800 (CP050):** All versions
- **TIA Portal:** All versions
- **WinCC Certificate Manager:** Multiple versions
- **Various Siemens Products:** Utilizing affected OpenSSL libraries.
## Vulnerability Description
This advisory addresses several distinct security flaws across the Siemens portfolio:
1. **Unrestricted File Upload (SIPROTEC 5):** A flaw in the DIGSI5 protocol allowed for unauthorized file uploads, potentially leading to arbitrary code execution or system disruption.
2. **OpenSSL Buffer Overflow:** Multiple Siemens products are impacted by upstream OpenSSL vulnerabilities that could lead to Denial of Service (DoS) or remote code execution.
3. **Key Material Exposure (WinCC):** Insufficient protection of cryptographic keys within the WinCC Certificate Manager could allow an attacker to compromise secure communications.
4. **SINEC INS Flaws:** Multiple vulnerabilities in the network infrastructure software allowing for potential administrative bypass or system compromise.
## Exploitation
- **Status:** Not currently reported as exploited in the wild.
- **Complexity:** Low to Medium (depending on the specific CVE).
- **Attack Vector:** Network (Primary vector for DIGSI5 and SINEC INS vulnerabilities).
## Impact
- **Confidentiality:** High (Potential theft of cryptographic keys and system configuration).
- **Integrity:** High (Unauthorized file uploads and system modification).
- **Availability:** High (Potential for Denial of Service on critical industrial control systems).
## Remediation
### Patches
- **SINEC INS:** Update to V1.0 SP2 Update 6 or later.
- **Other Products:** Siemens is releasing updates incrementally. Users are advised to check the Siemens ProductCERT portal for specific firmware updates for SIPROTEC 5 and TIA Portal.
### Workarounds
- **Network Segmentation:** Isolate industrial networks from the corporate network and the internet.
- **Protocol Filtering:** Restrict access to the DIGSI5 protocol (TCP/103) to authorized engineering workstations only.
- **Access Control:** Implement strong authentication and limit physical access to control hardware.
## Detection
- **Indicators of Compromise:** Unusual file upload activities to SIPROTEC 5 devices; unexpected service restarts; unauthorized attempts to access WinCC key stores.
- **Detection methods and tools:** Monitor network traffic for anomalies on industrial protocols; utilize Siemens-specific IDS signatures where available.
## References
- **Siemens ProductCERT:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-860189[.]html
- **Siemens ProductCERT:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-434797[.]html
- **Siemens ProductCERT:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-139483[.]html
- **Siemens ProductCERT:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-063511[.]html
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-siemens-security-advisory-av26-566