English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA50568

Siemens SIMATIC WinCC Multiple Vulnerabilities


Secunia ID

SA50568
CVE-ID

CVE-2012-3030, CVE-2012-3031, CVE-2012-3032, CVE-2012-3034
Release Date

11 Sep 2012
Last Change

15 Oct 2012
Criticality

Moderately Critical
Solution Status

Vendor Patch
Software

Siemens SIMATIC PCS 7 7.x
Siemens SIMATIC WinCC 7.x
Where

From remote
Impact
Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
Description

Positive Research has reported multiple vulnerabilities in Siemens SIMATIC WinCC, which can be exploited by malicious people to conduct cross-site scripting attacks, conduct SQL injection attacks, and disclose certain sensitive information.

1) Certain unspecified input passed to the WebNavigator component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain input passed to the WebNavigator component is not properly verified before being used to read files. This can be exploited to read arbitrary files via directory traversal sequences.

3) Certain input passed via SOAP messages to the WebNavigator component is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) An error within the ActiveX control can be exploited to disclose the username and password of an authenticated user.

The vulnerabilities are reported in versions 7.0 SP3 and prior.
Solution

Apply Update 3.
http://support.automation.siemens.com/WW/view/en/63472422
Reported by

Denis Baranov, Sergey Bobrov, Artem Chaykin, Vladimir Kochetkov, Pavel Toporkov, and Timur Yunusov, Positive Research.
Original Advisory

Siemens:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-864051.pdf

Positive Research:
http://en.securitylab.ru/lab/PT-2012-42
http://en.securitylab.ru/lab/PT-2012-43
http://en.securitylab.ru/lab/PT-2012-44
http://en.securitylab.ru/lab/PT-2012-45

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search