Number: AV18-045
Date: 15 March 2018
Purpose
The purpose of this advisory is to bring attention to recently disclosed vulnerabilities in Siemens SIMATIC, SIMOTION and SINUMERIK products.
Assessment
Multiple vulnerabilities were identified in Siemens SIMATIC, SIMOTION and SINUMERIK products. Exploitation of these vulnerabilities could allow a user to remotely execute arbitrary code, elevate privileges, gain unauthenticated access to sensitive data, abuse cryptographic functions and cause a denial of service under certain conditions.
Affected Products:
Siemens reports that the vulnerabilities affect the following Industrial PCs and BIOS versions:
-SIMATIC Field-PG M3: ME prior to V6.2.61.3535,
-SIMATIC Field-PG M4: BIOS prior to V18.01.06,
-SIMATIC Field-PG M5: BIOS prior to V22.01.04,
-SIMATIC HMI IPC677C: ME prior to V6.2.61.3535,
-SIMATIC IPC427D: BIOS prior to V17.0?.10,
-SIMATIC IPC427E: BIOS prior to V21.01.07,
-SIMATIC IPC477D: BIOS prior to V17.0?.10,
-SIMATIC IPC477D PRO: BIOS prior to V17.0?.10,
-SIMATIC IPC477E: BIOS prior to V21.01.07,
-SIMATIC IPC547D: ME prior to V7.1.91.3272,
-SIMATIC IPC547E: ME prior to V9.1.41.3024,
-SIMATIC IPC547G: ME prior to V11.8.50.3425 and BIOS < R1.21.0,
-SIMATIC IPC627C: ME prior to V6.2.61.3535,
-SIMATIC IPC627D: ME prior to V9.1.41.3024,
-SIMATIC IPC647C: ME prior to V6.2.61.3535,
-SIMATIC IPC647D: ME prior to V9.1.41.3024,
-SIMATIC IPC677D: ME prior to V9.1.41.3024,
-SIMATIC IPC827C: ME prior to V6.2.61.3535,
-SIMATIC IPC827D: ME prior to V9.1.41.3024,
-SIMATIC IPC847C: ME prior to V6.2.61.3535,
-SIMATIC IPC847D: ME prior to V9.1.41.3024,
-SIMATIC ITP1000: BIOS prior to V23.01.03,
-SINUMERIK PCU50.5-C, WIN7: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-C, WINXP: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-P, WIN7: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-P, WINXP: ME prior to V6.2.61.3535, and
-SIMOTION P320-4S: BIOS < S17.02.06.83.1
Siemens reports that the vulnerability affects the following versions of SIMATIC Industrial PCs using a version of Infineon’s Trusted Platform Module (TPM):
-SIMATIC Field-PG M5 all versions prior to v22.01.04,
-SIMATIC IPC227E all versions prior to v20.01.10,
-SIMATIC IPC277E all versions prior to v20.01.10,
-SIMATIC IPC427E all versions prior to v21.01.07,
-SIMATIC IPC477E all versions prior to v21.01.07,
-SIMATIC IPC547G all versions, and
-SIMATIC ITP1000 all versions prior to v23.01.03
Siemens reports that the vulnerabilities affect the following versions of SIMATIC WinCC Add-On:
-SIMATIC WinCC Add-On Historian CONNECT ALARM all versions prior to and including v5.x,
-SIMATIC WinCC Add-On PI CONNECT ALARM all versions prior to and including v2.x,
-SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL all versions prior to and including v1.x,
-SIMATIC WinCC Add-On PM-AGENT all versions prior to and including v5.x,
-SIMATIC WinCC Add-On PM-ANALYZE all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-CONTROL all versions prior to and including v10.x,
-SIMATIC WinCC Add-On PM-MAINT all versions prior to and including v9.x,
-SIMATIC WinCC Add-On PM-OPEN EXPORT all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN HOST-S all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN IMPORT all versions prior to and including v6.x,
-SIMATIC WinCC Add-On PM-OPEN PI all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN PV02 all versions prior to and including v1.x,
-SIMATIC WinCC Add-On PM-OPEN TCP/IP all versions prior to and including v8.x,
-SIMATIC WinCC Add-On PM-QUALITY all versions prior to and including v9.x,
-SIMATIC WinCC Add-On SICEMENT IT MIS all versions prior to and including v7.x, and
-SIMATIC WinCC Add-On SIPAPER IT MIS all versions prior to and including v7.x
Siemens reports the vulnerability affects the following industrial products:
-SIMATIC S7-200 Smart: All versions prior to V2.03.01,
-SIMATIC S7-400 PN V6: All versions prior to V6.0.6,
-SIMATIC S7-400 H V6: All versions prior to V6.0.8,
-SIMATIC S7-400 PN/DP V7: All versions prior to V7.0.2,
-SIMATIC S7-410 V8: All versions,
-SIMATIC S7-300: All versions,
-SIMATIC S7-1200: All versions,
-SIMATIC S7-1500: All versions prior to V2.0,
-SIMATIC S7-1500 Software Controller: All versions prior to V2.0,
-SIMATIC WinAC RTX 2010 incl. F: All versions,
-SIMATIC ET 200 Interface modules for PROFINET IO:-SIMATIC ET 200AL: All versions,
-SIMATIC ET 200ecoPN: All versions,
-SIMATIC ET 200M: All versions,
-SIMATIC ET 200MP IM155-5 PN BA: All versions prior to V4.0.2,
-SIMATIC ET 200MP IM155-5 PN ST: All versions prior to V4.1,
-SIMATIC ET 200MP (except IM155-5 PN BA and IM155-5 PN ST): All versions,
-SIMATIC ET 200pro: All versions,
-SIMATIC ET 200S: All versions, and
-SIMATIC ET 200SP: All versions.
-Development/Evaluation Kits for PROFINET IO:-DK Standard Ethernet Controller: All versions prior to V4.1.1 Patch 05,
-EK-ERTEC 200P: All versions prior to V4.5, and
-EK-ERTEC 200 PN IO: All versions prior to V4.5
-SIMOTION Firmware:-SIMOTION D: All versions prior to V5.1 HF1,
-SIMOTION C: All versions prior to V5.1 HF1,
-SIMOTION P V4.4 and V4.5: All versions prior to V4.5 HF5, and
-SIMOTION P V5: All versions prior to V5.1 HF1
-SINAMICS:-SINAMICS DCM: All versions,
-SINAMICS DCP: All versions,
-SINAMICS G110M / G120(C/P/D) w. PN: All versions prior to V4.7 SP9 HF1,
-SINAMICS G130 and G150 w. PN: All versions,
-SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF6,
-SINAMICS S120 w. PN: All versions prior to V4.8 HF5,
-SINAMICS S150 w. PN:-V4.7: All versions, and
-V4.8: All versions.
-SINAMICS V90 w. PN: All versions prior to V1.02
-SINUMERIK 840D sl: All versions,
-SIMATIC Compact Field Unit: All versions,
-SIMATIC PN/PN Coupler: All versions,
-SIMOCODE pro V PROFINET: All versions, and
-SIRIUS Soft starter 3RW44 PN: All versions.
CVE References: CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712, CVE-2017-15361, CVE-2017-12741
Suggested Action
CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.
- Download software and updates strictly from trusted sources using authenticated access and cryptographically verify the integrity of the downloaded content.
- Apply industrial control systems (ICS) patches in consultation with the vendor.
- Evaluate patches and updates in a test environment in order to assess the risks of deployment.
- Use a dedicated patch manager and an anti-virus server which is located in the ICS DMZ.
- Mitigate residual vulnerabilities that could be exploited by an intruder with additional safeguards.
- Keep your antivirus signatures and engines up-to-date.
- Minimize network exposure for all control system devices. Control system devices must not directly face the Internet.
- If remote access is required, use a secure method such as a Virtual Private Network (VPN), implement strong authentication, control the access and monitor your logs.
- Ensure that your firewall is blocking outbound traffic and has the minimum number of ports opened.
- Isolate your ICS devices from the business network with proper firewall rules. If data flows are necessary, consider data diodes or unidirectional gateways.
- Update your incident response plans to include cyber security scenarios. Be prepared to respond. Exercise your plans regularly.
Please also reference the mitigation advice specific to your product and situation.
References:
https://ics-cert.us-cert.gov/advisories/ICSA-18-060-01
https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01
https://ics-cert.us-cert.gov/advisories/ICSA-18-018-01A
https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D
https://www.siemens.com/global/en/home/products/services/cert.html
CCIRC Industrial Control System (ICS) Cyber Security : Recommended Best Practices
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-002-eng.aspx
Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies