Siemens Patches Holes In Industrial Control Switch

A security researcher discovered two, serious security holes in a switch by Siemens that could allow an attacker to hijack industrial control system hardware that is heavily used by energy and transportation firms, among others.

Siemens SCALANCE 200
Siemens has issued fixes for two serious vulnerabilities in its SCALANCE 200 series ICS switches.

IOActive, a security consulting firm in Seattle, Washington, said on Thursday that Eireann Leverett, a senior security consultant, discovered two vulnerabilities in Siemens’ SCALANCE X-200 Switches. The vulnerabilities were in a web server component that provided administrators with access to features needed to configure the switches. If exploited, they would have allowed an attacker who had access to the same network as the SCALANCE switch to perform administrative actions on the devices, including updating the switch firmware and hijack active web sessions – all without needing to first log in to the device.

SCALANCE is a family of Ethernet switches that connect to industrial control system (ICS) devices including programmable logic controllers (PLCs) and Human Machine Interface (HMI) systems.

Leverett said the two vulnerabilities were of different severities. In the first case, he found that SCALANCE switches create session IDs that are very predictable. An attacker could, hypothetically, use knowledge of how those session IDs were created to ‘guess’ a session ID and take it over, gaining access to the switch. But any attacker would have to first be logged into the SCALANCE switch to hijack a session. And the devices are only rarely accessed, meaning that sessions themselves are rare – making session hijacking attacks impractical.

However, Leverett also discovered that it was possible to post firmware updates to SCALANCE switches without first authenticating to the device. That would allow any attacker on the same network as the switch to send it a software update, then trick the switch into installing that update – potentially allowing a compromised firmware version to be installed.

“You can post a URL to the switch that points to a firmware update, and the (SCALANCE switch) will just accept the firmware, install it and reboot,” he told The Security Ledger.

In a security bulletin released by the Industrial Control System CERT in October, Siemens reported that the vulnerability affects the SCALANCE X-200 switch family with firmware version prior to V4.5.0 and the SCALANCE X-200IRT (Isochronous Real-Time) switch family with firmware version prior to V5.1.0.

Leverett said the SCALANCE switches are commonly used, especially in the transportation sector. However, most are deployed on protected networks and not publicly accessible.

He will demonstrate exploit code for the two vulnerabilities at the S4 Conference, an industrial control system industry conference in Miami next week.

 

Contacted by The Security Ledger, Siemens referred to two product security bulletins (here and here) that it has released describing the holes.

Security researchers have been warning for years that industrial control and SCADA systems are vulnerable to attack. But Leverett said Siemens response to the issues he raised is evidence of progress. The company was very responsive and has a dedicated Product CERT team tasked with working with reports like those IOActive issued. The affected products were patched within three months of Siemens being notified, IOActive said.

That’s a change from past years, when companies such as Siemens took an adversarial stand against security researchers, threatening lawsuits to stop the publication of research on security holes.

But those gains are not uniform – even within the same company, Leverett said.

“What we’re finding is that vendors are making progress with new products, but they won’t go back and review old code bases,” he said.

Spread the word!