German engineering company Siemens has patched two vulnerabilities affecting some of its SIMATIC controllers. The first vulnerability (CVE-2016-3949) is a denial-of-service (DoS) bug that affects SIMATIC S7-300 CPU, a product which is used by companies worldwide to manage process control in various industrial environments including Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. All versions prior to V3.2.12 on SIMATIC S7-300 CPUs with Profinet support are affected, as are all versions prior to V3.3.12 SIMATIC S7-300 CPUs without Profinet support, notes the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an advisory:
"Specially crafted packets sent to Port 102/TCP (ISO-TSAP) or via Profibus could cause the affected device to go into defect mode. A cold restart is required to recover the system."
An attacker with low skills could remotely exploit this issue.
In response to that threat, Siemens has released SIMATIC S7-300 firmware Versions V3.2.12 and V3.3.12 that fix the vulnerability. It recommends users update to the latest version as soon as possible. Siemens has also patched a weakly protected credentials vulnerability (CVE-2015-1358) that affects SIMATIC WinCC flexible, a software package which assists with visualization and machine or small system operations on standard PCs and on Siemens panel PCs. Specifically, the vulnerability affects all versions prior to SP3 Up7 on SIMATIC WinCC flexible, notes ICS-CERT in a second advisory:
"The remote management module of SIMATIC WinCC flexible panels and SIMATIC WinCC flexible runtime transmits weakly protected credentials over the network. Attackers capturing network traffic of the remote management module could possibly reconstruct the credentials."
To prevent attackers with high skills from remotely exploiting this issue, Siemens has issued Update 7 for SIMATIC WinCC flexible 2008 SP3 that fixes the bug. Users are urged to implement that update in the near future. News of these fixes come more than a year after Siemens patched three vulnerabilities affecting a variety of SIMATIC HMI devices.
