Tag Archives: Patch Treadmill

New vulnerability in SIMATIC WINCC systems – Don’t Panic!

20 October 2017

Yesterday morning I found a notification about a new vulnerability in Siemens SIMATIC WINCC systems from the manufacturer’s product CERT on LinkedIn. CVE-2017-6867 is network exploitable, thus every WINCC system that is accessible from the internet is potentially vulnerable. But that is no reason for panic.

A closer look at the CVE details revealed that the vulnerability “could allow an authenticated, remote attacker who is member of the “administrators” group to crash services by sending specially crafted messages to the DCOM interface”.

To be honest, it is not worth studying more details. To exploit this vulnerability, the attacker needs to be a member of the administrators group of the WINCC system.

But why should the attacker send specially crafted messages to the DCOM interface if he can easily compromise the entire SCADA network by leveraging windows built-in utilities? 

Moreover, it’s not worth patching this vulnerability immediately, if at all. If patching is required due to compliance reasons, it can wait until the next scheduled maintenance.

This endless stream of new vulnerabilities pulls us away from doing the right and important things, e.g. implementing good account and password practice in the SCADA active directory.

Have a great weekend.

CVE-2017-6033 – Keep Calm and Carry on

9 April 2017

When I read the note about CVE-2017-6033 on LinkedIn and the related ICS Cert Advisory ICSA-17-094-01 on Wednesday morning my first thought was: Sounds like a really big issue if Schneider Electric recommends to upgrade to Windows 10 to solve this security issue with their Interactive Graphical SCADA System (IGSS) Software.

What happened: Someone identified a search path vulnerability in the IGSS software. This means that if an attacker manages to place e.g. a fake IGSS dynamic link library (DLL) in a path which is searched earlier than the default installation directory, then the fake DLL is executed instead of the version installed in the installation directory. Ok, this sounds really dangerous.

The CVSS V3 vector string for CVE-2017-6033 is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

The UI (User Interaction) is important in this case. UI:R (Required) means that

“Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.”

In this case, the attacker must convince a user or administrator to copy a malicious DLL to a directory, which is searched earlier than the IGSS installation directory, to the computer where the IGSS software is installed.

To be honest, Schneider Electric’s recommendation for mitigation of this risk is somewhat oversized. End users should under no account fall into blind actionism and start migrating to Windows 10. The operational risk is far too high compared to the effort an attacker has to take to prepare the attack.

In this case, I would propose to simply make the users aware of the problem, and that’s it. If production networks are well designed and maintained and user awareness is high then there’s no need to run in the patch treadmill. To keep pace with this endless flood of patches pulls us away from doing the right and important things.

Have a good weekend.