20 October 2017
Yesterday morning I found a notification about a new vulnerability in Siemens SIMATIC WINCC systems from the manufacturer’s product CERT on LinkedIn. CVE-2017-6867 is network exploitable, thus every WINCC system that is accessible from the internet is potentially vulnerable. But that is no reason for panic.
A closer look at the CVE details revealed that the vulnerability “could allow an authenticated, remote attacker who is member of the “administrators” group to crash services by sending specially crafted messages to the DCOM interface”.
To be honest, it is not worth studying more details. To exploit this vulnerability, the attacker needs to be a member of the administrators group of the WINCC system.
But why should the attacker send specially crafted messages to the DCOM interface if he can easily compromise the entire SCADA network by leveraging windows built-in utilities?
Moreover, it’s not worth patching this vulnerability immediately, if at all. If patching is required due to compliance reasons, it can wait until the next scheduled maintenance.
This endless stream of new vulnerabilities pulls us away from doing the right and important things, e.g. implementing good account and password practice in the SCADA active directory.
Have a great weekend.