Tenable Research Discloses Critical Vulnerability in Siemens STEP 7 (CVE-2019-10915)
Tenable Research has discovered a critical vulnerability in Siemens TIA Portal (also referenced as STEP 7) that would allow an attacker to perform administrative actions. Siemens has released an update and security advisory.
- What you need to know: Tenable Research has disclosed an unauthenticated RCE in Siemens SIMATIC STEP 7 V15.1.
- What’s the attack vector? Authentication bypass in the TIA Administrator server through websockets on the node.js server.
- What’s the business impact? Attackers could perform any administrative actions on the TIA Portal, including elevating privileges or sending malicious firmware updates.
- What’s the solution? Siemens has released an update and security advisory for this vulnerability.
Background
Siemens has released an update and security advisory for CVE-2019-10915, an unauthenticated remote command execution (RCE) vulnerability in the TIA Portal (also referenced as STEP 7) discovered by Tenable Researcher Joseph Bingham.
SIMATIC STEP 7 Professional V15.1 is the programming software for the controller families S7-300, S7-400, C7 and WinAC. According to Siemens, the software is used for automation tasks like “configuring hardware, establishing communications, programming, testing, commissioning and service, documentation and archiving, or operational and/or diagnostic functions.” It is deployed in sectors including manufacturing, utilities and transportation.
التحليل
The vulnerability is an authentication bypass in the TIA Administrator server. An attacker could execute arbitrary application commands through websockets on the node.js server which is externally exposed by default.
By exploiting this vulnerability, an unauthenticated remote attacker could perform actions on TIA Portal, such as elevating privileges, changing proxy settings, or specifying malicious firmware updates. This vulnerability could be a critical part of a tailored attack against operational technology (OT) or industrial control systems (ICS), similar to Triton, Duqu and Stuxnet. Bingham explains how this vulnerability could be leveraged in an attack like this in his Medium blog post.
Business impact
An attacker could compromise a TIA Portal system and use their access to add malicious code to adjacent industrial control systems. Attackers could also use the access gained through exploitation of this vulnerability to steal sensitive data on existing OT setups to further progress and plan targeted attacks on critical infrastructure.
In a worst case scenario, a vulnerable TIA Portal system can be used as a stepping stone in an attack causing catastrophic damage to OT equipment, disrupting critical operations or conducting cyber espionage campaigns.
Solution
Users should confirm that they have updated to the latest version of Siemens STEP 7.
Additional information
- Visit the Tenable Tech Blog on Medium to read researcher Joseph Binghams’s in-depth story about the team’s work researching ICS security.
- Siemens Security Advisory
- Tenable Advisory
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
مقالات ذات صلة
How to Discover, Analyze and Respond to Threats Faster with Generative AI
June 17, 2024Generative AI (GenAI) is being hailed as the most transformative innovation since the rise of the internet. For security, GenAI can revolutionize the field if applied correctly, especially when it comes to threat detection and response. It enhances efficiency and productivity by swiftly processing and delivering critical information when it matters most.
These Services Shall Not Pass: Abusing Service Tags to Bypass Azure Firewall Rules (Customer Action Required)
June 3, 2024Azure customers whose firewall rules rely on Azure Service Tags, pay attention: You could be at risk due to a vulnerability detected by Tenable Research. Here’s what you need to know to determine if you’re affected, and if so, what you should do right away to protect your Azure environment from attackers.
Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software
May 24, 2024Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!
Cybersecurity Snapshot: Memory Bugs Pervasive in Open Source SW, While Car Dealership Chaos Persists After Ransomware Attack
June 28, 2024Check out why memory vulnerabilities are widespread in open source projects. Plus, get the latest on the ransomware attack that’s disrupted car sales in North America. In addition, find out why a majority of organizations grew their cyber budgets this year. And learn how confidential data from U.S. chemical facilities may have been accessed by hackers. And much more!
Tag, You’re IT! Tagging Your Way to Cloud Security Excellence
June 26, 2024To manage your cloud resources effectively and securely, you need to consistently tag assets across all your cloud platforms. Here we explain tagging’s main benefits, as well as proven strategies and best practices for tagging success.
CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability
June 25, 2024Progress Software has patched a high severity authentication bypass in the MOVEit managed file transfer (MFT) solution. As MOVEit has been a popular target for ransomware gangs and other threat actors, we strongly recommend prioritizing patching of this vulnerability.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning