Data Info

Ilya Karpov, a Positive Technologies expert, detected vulnerabilities in products intended for building automation systems in various industries — from petrochemical to power plants.

Ilya found a problem related to clear-text password storage in Schneider Electric systems — InTouch Machine Edition 2014 (version 7.1, Service Pack 3, Patch 4) and InduSoft Web Studio (7.1.3.4), as well as in their previous builds. The vulnerability that got the CVE-2015-1009 identifier and 6.4 base mark though cannot be exploited remotely requires only a low-qualified internal attacker.

Schneider Electric specialists recommend users to install new security updates as soon as possible (a patch for InTouch Machine Edition 2014 and a patch for InduSoft Web Studio) and restrict physical access of the personnel to these systems in order to decrease a potential risk of confidential information disclosure by internal attackers.

In July, Siemens issued a special update for the April note, where it thanked Ilya Karpov for detecting a dangerous and easy-to-use vulnerability that was threatening security of quite a few Siemens SIMATIC-based solutions:

• SIMATIC HMI Basic Panels 2nd Generation — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
• SIMATIC HMI Comfort Panels — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
• SIMATIC WinCC Runtime Advanced — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
• SIMATIC WinCC Runtime Professional — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
• SIMATIC WinCC Runtime Professional — all the versions up to WinCC (TIA Portal) V13 SP1 Upd2;
• SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal) — all the versions up to WinCC (TIA Portal) V13 SP1 Upd4;
• SIMATIC HMI Multi Panels (WinCC TIA Portal) — all the versions up to WinCC (TIA Portal) V13 SP1 Upd4;
• SIMATIC WinCC V7.X — all the versions up to V7.3 Upd4;
• SIMATIC PCS 7 — all the versions up to V8.1 SP1.

The CVE-2015-2823 error rated 6.8 allows using user password hash function in order to authenticate locally and remotely at the server. You dont even have to know the password.

All necessary tests for security issues detected in Siemens SIMATIC software have been added to the knowledge base of the PT MaxPatrol vulnerability and compliance control management system.

Positive Technologies started to cooperate with leading ICS vendors long ago. The large-scale study “SCADA safety in Numbers” was presented on 2012. A year later, PT experts created Choo Choo Pwn — an up-to-date large-scale railway model, whose components (trains, railroad crossing gates, and traffic lights) are controlled by an ICS based on three real SCADA systems. The model was used for SCADA security contest at Positive Hack Days, the annual international conference on information security.

In 2014, the contest infrastructure was significantly changed to allow detection of zero-day vulnerabilities within a wider range of systems and industrial protocols including: transport, city lighting system, power plants and various robots. The contest’s winner Alisa Shevchenko was thanked by Schneider Electric for the vulnerabilities she identified.  

This years Choo Choo Pwn was even more realistic: the participants couldnt send a command leading to a failure because the traffic security logic wouldnt let that happen. So, the goal of the challenge was to break the transport security means.