Full Report
Vulnerable solutions include SiNVR 3, XHQ Operations Intelligence, RUGGEDCOM ROS, and Siemens EN100
Analysis Summary
This summary is based on the security advisory addressing multiple vulnerabilities in Siemens components, including the EN100 Ethernet module, RUGGEDCOM ROS, and specialized software like SiNVR 3.
# Vulnerability: Multiple Flaws in Siemens Industrial Products
## CVE Details
*Note: This specific advisory (SSA-273347 and related) addresses multiple CVEs. The most critical are highlighted below.*
- **CVE-2019-13936** (SiNVR 3) / **CVE-2019-10931** (EN100)
- **CVSS Score:** 7.5 to 9.8 (Critical/High)
- **CWE:** CWE-287 (Improper Authentication), CWE-319 (Cleartext Transmission), CWE-757 (Selection of Less-Secure Algorithm)
## Affected Systems
- **SiNVR 3 (Video Management System):** All versions.
- **EN100 Ethernet Module:** Used in SIPROTEC 5 devices (Firmware versions prior to V7.80).
- **RUGGEDCOM ROS:** Specific versions of the Operating System for RUGGEDCOM switches.
- **XHQ Operations Intelligence:** Versions prior to V6.0.
## Vulnerability Description
The vulnerabilities range from administrative credential exposure to incomplete authentication protocols:
1. **SiNVR 3:** Uses a proprietary protocol for communication between Control Center and Servers that transmits sensitive data in cleartext or uses weak encryption, allowing unauthorized access to video streams.
2. **EN100 Module:** Contains a vulnerability in the web server implementation where specifically crafted HTTP packets can cause a Denial of Service (DoS) or potentially allow unauthorized configuration changes.
3. **RUGGEDCOM ROS:** Improper protection of sensitive data in the backup/restore functionality.
## Exploitation
- **Status:** Not exploited in the wild (at time of report); however, researchers have demonstrated PoCs for credential interception in SiNVR.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Exposure of video feeds and system credentials).
- **Integrity:** High (Unauthorized configuration modifications).
- **Availability:** High (Device crashes/reboots via DoS).
## Remediation
### Patches
- **EN100:** Update to EN100 Firmware V7.80 or later.
- **XHQ:** Upgrade to XHQ Operations Intelligence V6.0 or later.
- **RUGGEDCOM:** Apply specific ROS updates provided by Siemens Support for the relevant hardware model.
### Workarounds
- **Network Segmentation:** Isolate SiNVR and EN100 communication within a dedicated, protected VLAN.
- **Disable Unused Services:** Disable the web server (HTTP) on EN100 modules if not required for maintenance.
- **Encryption:** Use VPN or SSH tunnels for any traffic transiting untrusted networks.
## Detection
- **Indicators of Compromise:** Unusual administrative login attempts; unexpected reboots of EN100 modules; unauthorized network traffic on TCP ports 5440 and 5444 (SiNVR).
- **Detection Methods:** Monitor for non-standard HTTP headers directed at Siemens PLC/Protection relay web interfaces.
## References
- **Siemens Advisory (SSA-273347):** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-273347[.]pdf
- **Siemens Advisory (SSA-344338):** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-344338[.]pdf
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/advisories/2019/12/17/multiple-vulnerabilities-in-siemens-products/