The US government has been forced to issue a security alert pointing to several major vulnerabilities in industrial control system (ICS) switches produced by Siemens.
The Department for Homeland Security’s ICS-CERT noted in an advisory that the three flaws exist in the Ruggedcom WIN firmware – which is used as ruggedized base stations or subscriber units in private wide area wireless networks.
CVE- 2015-1448 has a CVSS base score of 10.0 and could allow attackers to perform “administrative operations over the network” without authentication.
CVE- 2015-1449 also has a CVSS score of 10 and relates to a buffer overflow vulnerability in the integrated web server which could allow for remote code execution.
CVE- 2015-1357 is the least critical (CVSS 2.6) and relates to a flaw allowing sensitive information like password hashes to be stored insecurely – providing hackers with an easy way to obtain the info from local files or security logs.
Although none of the flaws have been exploited publicly as of yet, they can be exposed remotely by attackers with “low skill,” according to ICS-CERT.
It added:
“Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
The vulnerabilities affect the following versions of Siemens Ruggedcom WIN: WIN51xx, all versions prior to SS4.4.4624.35; WIN52xx, all versions prior to SS4.4.4624.35; WIN70xx, all versions prior to BS4.4.4621.32; and WIN72xx, all versions prior to BS4.4.4621.32.
Affected organizations are advised to apply the firmware update released by Siemens as soon as possible.
ICS-CERT also reiterated its best practice advice to ICS admins to minimize risk exposure by ensuring control systems aren’t connected to the internet, and that control system networks and remote devices are stuck behind a firewall.
Ruggedcom WIN is not the only Siemens product affected by newly reported vulnerabilities.
ICS-CERT warned in a separate advisory that all versions of the German giant’s SCALANCE X-200IRT switch family prior to v5.2.0 are affected by an “improper authentication” flaw.
The remotely exploitable vulnerability was described as follows:
“The device’s web server could allow unauthenticated attackers to impersonate legitimate users of the web interface (Port 80/TCP and Port 443/TCP) if an active web session of an authenticated user exists at the time of attack.”