[Control Systems] Siemens SIMATIC, SIMOTION and SINUMERIK Vulnerabilities

Number: AV18-045
Date: 15 March 2018

Purpose

The purpose of this advisory is to bring attention to recently disclosed vulnerabilities in Siemens SIMATIC, SIMOTION and SINUMERIK products.

Assessment

Multiple vulnerabilities were identified in Siemens SIMATIC, SIMOTION and SINUMERIK products. Exploitation of these vulnerabilities could allow a user to remotely execute arbitrary code, elevate privileges, gain unauthenticated access to sensitive data, abuse cryptographic functions and cause a denial of service under certain conditions.

Affected Products:

Siemens reports that the vulnerabilities affect the following Industrial PCs and BIOS versions:
-SIMATIC Field-PG M3: ME prior to V6.2.61.3535,
-SIMATIC Field-PG M4: BIOS prior to V18.01.06,
-SIMATIC Field-PG M5: BIOS prior to V22.01.04,
-SIMATIC HMI IPC677C: ME prior to V6.2.61.3535,
-SIMATIC IPC427D: BIOS prior to V17.0?.10,
-SIMATIC IPC427E: BIOS prior to V21.01.07,
-SIMATIC IPC477D: BIOS prior to V17.0?.10,
-SIMATIC IPC477D PRO: BIOS prior to V17.0?.10,
-SIMATIC IPC477E: BIOS prior to V21.01.07,
-SIMATIC IPC547D: ME prior to V7.1.91.3272,
-SIMATIC IPC547E: ME prior to V9.1.41.3024,
-SIMATIC IPC547G: ME prior to V11.8.50.3425 and BIOS < R1.21.0,
-SIMATIC IPC627C: ME prior to V6.2.61.3535,
-SIMATIC IPC627D: ME prior to V9.1.41.3024,
-SIMATIC IPC647C: ME prior to V6.2.61.3535,
-SIMATIC IPC647D: ME prior to V9.1.41.3024,
-SIMATIC IPC677D: ME prior to V9.1.41.3024,
-SIMATIC IPC827C: ME prior to V6.2.61.3535,
-SIMATIC IPC827D: ME prior to V9.1.41.3024,
-SIMATIC IPC847C: ME prior to V6.2.61.3535,
-SIMATIC IPC847D: ME prior to V9.1.41.3024,
-SIMATIC ITP1000: BIOS prior to V23.01.03,
-SINUMERIK PCU50.5-C, WIN7: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-C, WINXP: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-P, WIN7: ME prior to V6.2.61.3535,
-SINUMERIK PCU50.5-P, WINXP: ME prior to V6.2.61.3535, and
-SIMOTION P320-4S: BIOS < S17.02.06.83.1

Siemens reports that the vulnerability affects the following versions of SIMATIC Industrial PCs using a version of Infineon’s Trusted Platform Module (TPM):
-SIMATIC Field-PG M5 all versions prior to v22.01.04,
-SIMATIC IPC227E all versions prior to v20.01.10,
-SIMATIC IPC277E all versions prior to v20.01.10,
-SIMATIC IPC427E all versions prior to v21.01.07,
-SIMATIC IPC477E all versions prior to v21.01.07,
-SIMATIC IPC547G all versions, and
-SIMATIC ITP1000 all versions prior to v23.01.03

Siemens reports that the vulnerabilities affect the following versions of SIMATIC WinCC Add-On:
-SIMATIC WinCC Add-On Historian CONNECT ALARM all versions prior to and including v5.x,
-SIMATIC WinCC Add-On PI CONNECT ALARM all versions prior to and including v2.x,
-SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL all versions prior to and including v1.x,
-SIMATIC WinCC Add-On PM-AGENT all versions prior to and including v5.x,
-SIMATIC WinCC Add-On PM-ANALYZE all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-CONTROL all versions prior to and including v10.x,
-SIMATIC WinCC Add-On PM-MAINT all versions prior to and including v9.x,
-SIMATIC WinCC Add-On PM-OPEN EXPORT all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN HOST-S all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN IMPORT all versions prior to and including v6.x,
-SIMATIC WinCC Add-On PM-OPEN PI all versions prior to and including v7.x,
-SIMATIC WinCC Add-On PM-OPEN PV02 all versions prior to and including v1.x,
-SIMATIC WinCC Add-On PM-OPEN TCP/IP all versions prior to and including v8.x,
-SIMATIC WinCC Add-On PM-QUALITY all versions prior to and including v9.x,
-SIMATIC WinCC Add-On SICEMENT IT MIS all versions prior to and including v7.x, and
-SIMATIC WinCC Add-On SIPAPER IT MIS all versions prior to and including v7.x

Siemens reports the vulnerability affects the following industrial products:
-SIMATIC S7-200 Smart: All versions prior to V2.03.01,
-SIMATIC S7-400 PN V6: All versions prior to V6.0.6,
-SIMATIC S7-400 H V6: All versions prior to V6.0.8,
-SIMATIC S7-400 PN/DP V7: All versions prior to V7.0.2,
-SIMATIC S7-410 V8: All versions,
-SIMATIC S7-300: All versions,
-SIMATIC S7-1200: All versions,
-SIMATIC S7-1500: All versions prior to V2.0,
-SIMATIC S7-1500 Software Controller: All versions prior to V2.0,
-SIMATIC WinAC RTX 2010 incl. F: All versions,
-SIMATIC ET 200 Interface modules for PROFINET IO:-SIMATIC ET 200AL: All versions,
-SIMATIC ET 200ecoPN: All versions,
-SIMATIC ET 200M: All versions,
-SIMATIC ET 200MP IM155-5 PN BA: All versions prior to V4.0.2,
-SIMATIC ET 200MP IM155-5 PN ST: All versions prior to V4.1,
-SIMATIC ET 200MP (except IM155-5 PN BA and IM155-5 PN ST): All versions,
-SIMATIC ET 200pro: All versions,
-SIMATIC ET 200S: All versions, and
-SIMATIC ET 200SP: All versions.

-Development/Evaluation Kits for PROFINET IO:-DK Standard Ethernet Controller: All versions prior to V4.1.1 Patch 05,
-EK-ERTEC 200P: All versions prior to V4.5, and
-EK-ERTEC 200 PN IO: All versions prior to V4.5

-SIMOTION Firmware:-SIMOTION D: All versions prior to V5.1 HF1,
-SIMOTION C: All versions prior to V5.1 HF1,
-SIMOTION P V4.4 and V4.5: All versions prior to V4.5 HF5, and
-SIMOTION P V5: All versions prior to V5.1 HF1

-SINAMICS:-SINAMICS DCM: All versions,
-SINAMICS DCP: All versions,
-SINAMICS G110M / G120(C/P/D) w. PN: All versions prior to V4.7 SP9 HF1,
-SINAMICS G130 and G150 w. PN: All versions,
-SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF6,
-SINAMICS S120 w. PN: All versions prior to V4.8 HF5,
-SINAMICS S150 w. PN:-V4.7: All versions, and
-V4.8: All versions.

-SINAMICS V90 w. PN: All versions prior to V1.02

-SINUMERIK 840D sl: All versions,
-SIMATIC Compact Field Unit: All versions,
-SIMATIC PN/PN Coupler: All versions,
-SIMOCODE pro V PROFINET: All versions, and
-SIRIUS Soft starter 3RW44 PN: All versions.

CVE References: CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712, CVE-2017-15361, CVE-2017-12741

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

Please also reference the mitigation advice specific to your product and situation.

References:

https://ics-cert.us-cert.gov/advisories/ICSA-18-060-01
https://ics-cert.us-cert.gov/advisories/ICSA-18-058-01
https://ics-cert.us-cert.gov/advisories/ICSA-18-018-01A
https://ics-cert.us-cert.gov/advisories/ICSA-17-339-01D
https://www.siemens.com/global/en/home/products/services/cert.html

CCIRC Industrial Control System (ICS) Cyber Security: Recommended Best Practices
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-002-eng.aspx

Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies

https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: