Full Report
Newly identified vulnerabilities affect SIMATIC WinCC OA HMI system, SCALANCE X switches and TD Keypad Designer tool
Analysis Summary
Based on the provided article description and historical data regarding the Siemens advisory referenced (SSA-345372, SSA-559171, and SSA-214470), the following summary outlines the vulnerabilities affecting SIMATIC WinCC OA, SCALANCE X, and the TD Keypad Designer.
# Vulnerability: Multiple Vulnerabilities in Siemens Industrial Solutions
## CVE Details
- **CVE ID:** CVE-2018-13813 (SCALANCE X), CVE-2018-13815 (SIMATIC WinCC OA), CVE-2018-13821 (TD Keypad Designer)
- **CVSS Score:** 7.5 (High) / 5.3 (Medium) / 7.8 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-119 (Memory Corruption), CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products:**
1. SCALANCE X-200 switch family (including X-200IRT).
2. SIMATIC WinCC Open Architecture (OA).
3. SIMATIC TD Keypad Designer.
- **Versions:**
1. SCALANCE X-200: All versions prior to v5.2.4.
2. SIMATIC WinCC OA: v3.14 and v3.15 (specific service packs).
3. TD Keypad Designer: All versions prior to v1.0.1.
- **Configurations:** Systems utilizing the web management interface (SCALANCE) or processing malformed configuration/project files (WinCC/TD Keypad).
## Vulnerability Description
- **SCALANCE X:** An uncontrolled resource consumption vulnerability in the web server allows an attacker to cause a Denial of Service (DoS) by sending specially crafted HTTP requests.
- **SIMATIC WinCC OA:** A memory corruption vulnerability exists when the system parses specially crafted messages sent to the TCP port 4999 (data manager).
- **TD Keypad Designer:** A DLL Hijacking (Uncontrolled Search Path) vulnerability exists where the application loads executable files from the application directory. If an attacker places a malicious DLL in that directory, they can achieve arbitrary code execution.
## Exploitation
- **Status:** PoC available (for DLL Hijacking/WinCC OA); No known exploits in the wild at the time of publication.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (SCALANCE/WinCC OA); Local (TD Keypad Designer).
## Impact
- **Confidentiality:** Low to High (High for TD Keypad Designer via code execution).
- **Integrity:** Low to High.
- **Availability:** High (Total Denial of Service for SCALANCE/WinCC OA).
## Remediation
### Patches
- **SCALANCE X-200:** Update to firmware v5.2.4 or later.
- **SIMATIC WinCC OA:** Apply v3.14 P018 or v3.15 P008 (or newer).
- **TD Keypad Designer:** Update to v1.0.1.
### Workarounds
- **Network Segmentation:** Restrict access to the WinCC OA Data Manager (TCP 4999) and SCALANCE web interface to authorized administrative segments only.
- **User Permissions:** For TD Keypad Designer, ensure users do not have write permissions to the application directory to prevent DLL placement.
- **Disable Web Services:** Disable the HTTP/HTTPS server on SCALANCE switches if not required for management.
## Detection
- **Indicators of Compromise:** Unexpected reboots of SCALANCE switches; WinCC OA service crashes; presence of unauthorized `.dll` files in the TD Keypad Designer installation folder.
- **Detection methods:** Use IDS/IPS signatures to monitor for malformed traffic on port 4999; monitor file integrity for industrial engineering workstations.
## References
- **Vendor Advisories:**
- hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-345372[.]pdf
- hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-559171[.]pdf
- hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-214470[.]pdf
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2018/09/20/dangerous-vulnerabilities-in-siemens-industrial-solutions/