Security researcher have discovered a vulnerability in Siemens STEP 7 TIA Portal - design and automation software for industrial control systems (ICS) used in nearly every vertical, worldwide.
In a blog post by researchers at Tenable Research, the critical vulnerability could be used by a bad actor as a stepping stone in a tailored attack against critical infrastructure, with the potential for catastrophic damage.
By exploiting the flaw, an unauthenticated, remote attacker could perform any administrative actions on the system, enabling them to add malicious code to adjacent ICS. A bad actor could also exploit the vulnerability to harvest data in order to plan a future, targeted attack.
The vulnerability [CVE-2019-10915] impacts the same family of devices compromised in the Stuxnet attack, which first made headlines almost nine years ago.
SIMATIC STEP 7 Professional V15.1 is the programming software for the controller families S7-300, S7-400, C7 and WinAC. According to Siemens, the software is used for automation tasks like "configuring hardware, establishing communications, programming, testing, commissioning and service, documentation and archiving, or operational and/or diagnostic functions." It is deployed in sectors including manufacturing, utilities and transportation.
The flaw is an authentication bypass in the TIA Administrator server. An attacker could execute arbitrary application commands through websockets on the node.js server which is externally exposed by default.
By exploiting this vulnerability, an unauthenticated remote attacker could perform actions on TIA Portal, such as elevating privileges, changing proxy settings, or specifying malicious firmware updates. This vulnerability could be a critical part of a tailored attack against operational technology (OT) or industrial control systems (ICS), similar to Triton, Duqu and Stuxnet.
"Attacks on critical infrastructure go well-beyond cyberspace — they have the potential to cause physical damage and harm. And the threats to these often delicate systems cannot be overstated," said Renaud Deraison, chief technology officer and co-founder, Tenable.
"Cooperation and collaboration between researchers and vendors are of utmost importance when it comes to vulnerability disclosures. Tenable Research is committed to working with willing vendors, like Siemens, to protect organisations everywhere from new and emerging threats."
Siemens has released a patch for this vulnerability and operators have been urged to check their systems have been updated to this latest version.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that Industrial Control Systems (ICS) or the environments in which they operate are highly critical and bear a high risk.
"This is why it's good to hear that Siemens has made a patch available for its customers. However, being on critical systems, applying patches aren't always easy or straightforward. It is, therefore, important that multiple layers of defence are put in place to try and minimise the likelihood of this or any other vulnerability in ICS being exploited," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout