Siemens SIMATIC "WinCC" or Siemens "Step 7” software vulnerabilities

Number: AV10-023
Date: 27 July 2010

Purpose

The purpose of this advisory is to raise awareness of recently discovered malware targeting Siemens SIMATIC "WinCC" or Siemens "Step7” control system software.

Assessment

Supervisory Control and Data Acquisition (SCADA) systems that use Siemens SIMATIC WinCC or Step7 software are vulnerable to newly discovered pieces of malware.  SIMATIC WinCC HMI is a scalable process-visualization system for monitoring automated processes. SIMATIC STEP 7 is an engineering software used in the programming and configuration of SIMATIC programmable controllers. Both of these products are widely used in many critical infrastructure sectors. 

Affected Systems:
All Siemens WinCC or Step7 systems currently residing on the following affected Windows Operating Systems:

• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 1 and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems

The vulnerability is associated with the use of a hard coded password to protect the database used by these applications, and which became publicly known. The vulnerability has been exploited in the wild leveraging USB portable device and a recently announced zero day vulnerability in the Windows Operating System (MS Knowledge Base Article 2286198).This vulnerability has been assigned the CVE identifier CVE-2010-2568.

Suggested action

Siemens has released a fix to address this specific issue, found in reference D below. CCIRC recommends that organizations liaise with the administrators/maintainers of affected assets and commence requisite remediation planning/implementation as soon as possible.

References:

A. http://www.microsoft.com/technet/security/advisory/2286198.mspx
B. http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware
C. http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/#more-4045
D. http://support.automation.siemens.com/WW/llisapi.dll/csfetch/43876783/sysclean.zip?func=cslib.csFetch&deid=43932305
Checksum:
E. http://support.automation.siemens.com/WW/llisapi.dll/csfetch/43876783/checksum_sysclean.txt?func=cslib.csFetch&nodeid=43931924

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca