Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 720014

Synopsis

Siemens WinCC and SIMATIC HMI panels are affected by multiple vulnerabilities.

Description

Siemens WinCC and SIMATIC HMI Panels < 11.0.2.1 are affected by multiple vulnerabilities.

- A directory traversal vulnerability in miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to read arbitrary files via a ..%5c (dot dot backslash) in a URI.
- The HMI web server in the affected products generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie.
- The HMI web server in the affected products has an improperly selected default password for the administrator account, which makes it easier for remote attackers to obtain access via a brute-force approach involving many HTTP requests.
- A Cross-site scripting (XSS) vulnerability in the HMI web server in Siemens WinCC flexible exists that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2011-4510 and CVE-2011-4511).
- A CRLF injection vulnerability exists that allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. (CVE-2011-4512)
- The HMI web server in affected products allows user-assisted remote attackers to execute arbitrary code via a crafted project file, related to the HMI web server and runtime loader. (CVE-2011-4513)
- The TELNET daemon in the affected products does not perform authentication, which makes it easier for remote attackers to obtain access via a TCP session. (CVE-2011-4514)
- A stack-based buffer overflow in HmiLoad in the runtime loader in the affected products, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings. (CVE-2011-4875)
- A directory traversal vulnerability in HmiLoad in the runtime loader in the affected products, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. (CVE-2011-4876)
- HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP.(CVE-2011-4877)
- miniweb.exe in the HMI web server in the affected products does not properly handle URIs beginning with a 0xfa character, which allows remote attackers to read data from arbitrary memory locations or cause a denial of service (application crash) via a crafted POST request. (CVE-2011-4879)

Solution

Perform vendor recommended mitigations and apply available vendor upgrades.

See Also

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02A.pdf,http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf,http://aluigi.org/adv/winccflex_1-adv.txt,https://ics-cert.us-cert.gov/advisories/ICSA-12-030-01A,http://www.exploit-db.com/exploits/18166,http://www.osvdb.org/77383,http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02.pdf,http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf,https://exchange.xforce.ibmcloud.com/vulnerabilities/71452

Plugin Details

Severity: Critical

ID: 720014

Family: SCADA

Published: 5/8/2019

Updated: 10/9/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Patch Publication Date: 4/18/2012

Vulnerability Publication Date: 4/18/2012

Reference Information

CVE: CVE-2011-4508, CVE-2011-4509, CVE-2011-4510, CVE-2011-4511, CVE-2011-4512, CVE-2011-4513, CVE-2011-4514, CVE-2011-4875, CVE-2011-4876, CVE-2011-4877, CVE-2011-4878, CVE-2011-4879