Authentication bypass, XSS & code execution in Siemens SICAM RTUs SM-2556 COM Modules

Project Description

The Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00) are affected by an authentication bypass vulnerability as the authentication checks are only performed client-side (JavaScript). Furthermore, the device is affected by cross site scripting vulnerabilities and outdated webserver software which allows code execution.


Vendor description

“Siemens is a global powerhouse focusing on the areas of electrification, automation and digitalization. One of the world’s largest producers of energy-efficient, resource-saving technologies, Siemens is a leading supplier of systems for power generation and transmission as well as medical diagnosis.”

Source: https://www.siemens.com/global/en/home/company/about.html

Business recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. The device must not be accessible from untrusted networks.

Vulnerability overview/description

1) Authentication Bypass (client-side “authentication” enforcement)

The web interface (TCP port 80) suffers from an authentication bypass vulnerability that allows unauthenticated attackers to access arbitray functionality and information (i.e. password lists) available through the webserver.

2) Reflected Cross-Site Scripting

The web interface provides a “ping” functionality. This form is vulnerable to reflected cross-site-scripting because of missing input handling and output encoding.

3) Outdated Webserver (GoAhead)

The used webserver version contains known weaknesses.

Proof of concept

1) Authentication Bypass

Use a browser which has JavaScript disabled (“Authentication” checks are performed client-side) and open legitimate URLs directly.

Examples:
http://<hostname>/start.asp
http://<hostname>/pwliste.asp
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100

2) Reflected Cross-Site Scripting

All parameters in “webforms_ping” are vulnerable to reflected XSS:
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1

3) Outdated Webserver

The used version of “GoAhead” webserver is 2.1.7 (released in Oct. 2003). This version has known vulnerabilities:

http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp

Vulnerable / tested versions

SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)

Vendor contact timeline

2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the “affected device is out of service” and provides workaround (disable webserver). They are “still assessing the next steps”.
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.

Solution

No firmware update is available as the device is no longer supported by the vendor.

Workaround

According to the vendor the webserver can be disabled to mitigate all the vulnerabilities documented in this advisory. The webserver is optional and only used for commissioning and debugging purposes.

The vendor published the following document for further information:

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF SEC Consult Vulnerability Lab / @2017

Project Details

  • TitleAuthentication bypass, cross-site scripting & code execution
  • ProductSiemens SICAM RTUs SM-2556 COM Modules
  • Vulnerable versionFW 1549 Revision 07
  • Fixed versionnone, see Workaround section
  • CVE numberCVE-2017-12737 (authentication bypass), CVE-2017-12738 (XSS), CVE-2017-12739 (web server)
  • ImpactCritical
  • Homepagewww.siemens.com
  • Found2017-08-17
  • BySEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back