MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-111

DATE(S) ISSUED:
07/25/2016

SUBJECT:
Multiple Vulnerabilities in Siemens Products Could Allow For Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Siemen's SIMATIC WinCC and PCS software, which could allow for remote code execution. PCS is a distributed control system (DCS) integrating SIMATIC WinCC. SIMATIC WinCC is a SCADA system that is used to monitor and control physical processes involved in industry and infrastructure. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical. Successful exploitation of these vulnerabilities could allow a remote attacker to execute code to take control of the system.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEM AFFECTED:

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7)
‧ V7.1 SP4 and earlier versions
‧ V8.0: All versions
‧ V8.1: All versions
‧ V8.2: All versions

SIMATIC WinCC
‧ V7.0 SP 2 and earlier versions
‧ V7.0 SP 3: All versions
‧ V7.2: All versions
‧ V7.3: All versions < 7.3 Update 10
‧ V7.4: All versions < 7.4 Update 1

SIMATIC WinCC Runtime Professional: All versions < V13 SP 1 Update 9

RISK:

Government:

· Large and medium government entities: High

· Small government entities: High

Businesses:

· Large and medium business entities: High

· Small business entities: High

Home users: N/A

TECHNICAL SUMMARY:

    Multiple vulnerabilities have been discovered in SIMATIC WinCC and PCS software. Details of these vulnerabilities are as follows:

  • A vulnerability found in SIMATIC WinCC or WinCC Runtime Professional could allow for unauthenticated users to remotely execute code by sending specially crafted packets. (CVE-2016-5743)
  • An arbitrary file read vulnerability found in SIMATIC WinCC that could allow unauthenticated users to extract arbitrary files from a WinCC station by sending specially crafted packets.(CVE-2016-5744)
Successful exploitation of these vulnerabilities could allow a remote attacker to execute code to take control of the system.

RECOMMENDATIONS: