Security Advisory Report

Discussion about security topics in WinCC OA!
Search

Post Reply
4 posts • Page 1 of 1
User avatar
leoknipp
Posts: 2031
Joined: Tue Aug 24, 2010 5:28 pm

Security Advisory Report

Post by leoknipp » Mon Feb 10, 2014 8:20 am

Dear customer,

As you may already know Siemens launched an advisory report for detected vulnerabilities in WinCC OA.
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-342587.pdf

ETM fixed these issues in the actual WinCC OA version 3.12 with the newest Patch Nr. 002 for this version.
We strongly recommend upgrading to this version.
If the recommended upgrade to this version is not possible we would like to give you more details regarding those findings and how they could be handled in facilities with a WinCC OA version older them 3.12.


Vulnerability 1 (CVE-2014-1696)

Attackers might be able to break project users’ password hashes and escalate their privileges within the affected WinCC OA server application.
All sites using WinCC OA user administration in a version lower than 3.12 are affected by this vulnerability. Systems running with Windows User administration are not affected.
With WinCC OA Version 3.11 SP1 ETM improved the crypt() function in implement random values into the generation of a password hash. This mechanism is also known as salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29).

A site running with WinCC OA 3.11 SP1 could get the same protection as 3.12 by modifying following panels and scripts from the WinCC OA default installation:
/panels/vision/changePassword.pnl
/panels/vision/password.pnl
/panels/vision/ud_users.pnl
/scripts/libs/ExcelReport.ctl
/scripts/libs/userMan.ctl

Necessary activity for those panels and scripts is a modification for the crypt() function. The optional parameter for this version has to be set to value 3 – see the online help for further information. After this a password change for every user is recommended to update the database with the new and strong password hashes.
ETM will issue a hotfix for 3.11 SP1 in the near future that will provide modified panels for systems based on 3.11 SP1.

Older Versions than 3.11SP1 cannot be improved, since the password algorithm differs. In this case it is of importance that the access to the communication lines of WinCC OA is limited by other protection measures. In general ETM recommends following the suggestions from our security concept to design a well secured environment which makes it hard for a hacker to get access to the passwords:
https://portal.etm.at/index.php?option=com_phocadownload&view=category&download=581:wincc_oa-security-concept&id=52:security&Itemid=81


Vulnerability 2 (CVE-2014-1697)

The integrated web server at port 4999/tcp might allow attackers to perform remote code execution by sending specially crafted packets over the network without authentication.
With special knowledge regarding http messages it was possible to crash the process monitor from WinCC OA by usage of the implemented Web Server. With patch 002 for WinCC OA version 3.12 ETM implemented a sanitize check for those input parameters.
In general every site could be evading that scenario by following the recommendation from our security concept. In this case it is possible to configure a secure system by black- and white listing of IP addresses. It is possible to define this in the system, on the network and by modifying the config files from WinCC OA by usage of the ip_allow and ip_deny entries. In case of the WinCC OA process monitor it is recommended to limit the access to the local machine.
If the project is using the build in http-Server option, the same vulnerability exists for the http-server and similar measures are necessary to overcome this issue.


Vulnerability 3 (CVE-2014-1698)

The integrated web server at port 4999/tcp might allow attackers to traverse through the file system of the server based on the application’s Windows user permissions by sending specially crafted packets over the network without authentication.
With this vulnerability the attacker could get access to some usually hidden files in the system by usage of path traversal of the web servers from our process monitor. The system could be configured in a safe mode by usage of black and white listing of IP addresses as mentioned for vulnerability 2. Especially the access to the process monitor should be limited for the local machine to reduce the risk to be attacked by this vulnerability.
If the project is using the build in http-Server option, the same vulnerability exists for the http-server and similar measures are necessary to overcome this issue.


Vulnerability 4 (CVE-2014-1699)

Malformed HTTP requests sent over the network without authentication to the web server’s port 4999/tcp might lead to a Denial of Service of the SIMATIC WinCC OA monitoring service. Restarting the WinCC OA Console recovers the monitoring service.
The same suggestion from vulnerability 2 and 3 are also effective of this one. ETM fixed this thread in detail for the actual version 3.12 but a good and secure system based on older versions could be configured by following the suggestions from our security concept. And especially in this case ETM recommends to limit the access to the process monitor for the local machine (by usage of black and white listing of IP addresses as mentioned for vulnerability 2) to reduce the overall risk for the system.
If the project is using the build in http-Server option, the same vulnerability exists for the http-server and similar measures are necessary to overcome


Best Regards
Leopold Knipp
Senior Support Specialist

User avatar
leoknipp
Posts: 2031
Joined: Tue Aug 24, 2010 5:28 pm

Re: Security Advisory Report

Post by leoknipp » Mon Feb 10, 2014 4:29 pm

Hello,

the summary patch P002 (mentioned in the first posting) was substituted with the newer summary patch P003 for 3.12.
Please install the newest available summary patch to include the changes in your project.

Best Regards
Leopold Knipp
Senior Support Specialist

User avatar
leoknipp
Posts: 2031
Joined: Tue Aug 24, 2010 5:28 pm

Re: Security Advisory Report

Post by leoknipp » Fri Feb 28, 2014 3:17 pm

Hello,

right now new patches have been released for older versions to fix the security vulnerabilities.
In detail the following summary patches are available:
PVSS 3.9+SP1 - P032
PVSS 3.10+SP2 - P031
PVSS 3.11+SP1 - P034

The summary patches will be replaced, if newer ones are available. Therefore the listed patches will not be available anymore in the future, if they have been replaced already. To get the changes you have to use then the newest summary patch.


Due to the mentioned security vulnerabilities the default settings for the process monitor (PVSS00pmon/WCCILpmon) have been changed to limit the access (HTTP, TCP) only to the local machine. Up to now it was possible to get access to the pmon from any computer.

The new default behaviour for the pmon is to listen only to localhost. To re-enable the access from any computer, you need to set the following
config entry:

[pmon]
localAddress = ""


If access from any computer is enabled you are still able to limit the
access on IP basis with the config entries ip_allow and ip_deny, see
enclosed example:

# allow access for the local computer and the IP-address 192.167.153.122
[pmon]
# deny access for everyone
ip_deny = "*"

# allow access for the local computer
ip_allow = "127.0.0.1"
ip_allow = "::ffff:127.0.0.1"
ip_allow = "::1"

# allow access for a specific IP-address
ip_allow = "192.167.153.122"

Best Regards
Leopold Knipp
Senior Support Specialist

User avatar
leoknipp
Posts: 2031
Joined: Tue Aug 24, 2010 5:28 pm

Re: Security Advisory Report

Post by leoknipp » Wed Mar 05, 2014 12:12 pm

Hello,

now also the summary patch for 3.12 - P004 was released.
This patch also contains the changes concerning the default settings for the process monitor, as described in the previous posting.

Best Regards
Leopold Knipp
Senior Support Specialist

Post Reply
4 posts • Page 1 of 1