Industrial Control System (ICS) manufacturer Siemens has released patches for two critical vulnerabilities in its SCADA systems it believes are probably being exploited in the wild by attackers.
An alert from the ICS-CERT this week revealed that the problems affect products using the Siemens WinCC application.
One of the flaws allows for unauthenticated remote code execution, meaning an attacker could take control of affected systems with little skill required. ICS-CERT claimed that exploits targeting them are “potentially available.”
“Indicators exist that this vulnerability may have been exploited during a recent campaign,” it said.
The advisory continued:
“Siemens has produced a patch that mitigates this vulnerability in the WinCC application and is working on updates for the remaining affected products to address the other vulnerability in the WinCC application…
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
The remote code execution vulnerability, CVE-2014-8551, has been given a CVSS score of 10.
The other, CVE-2014-8552, could also be remotely exploitable, but has been given a CVSS score of 7.8.
“A component within WinCC could allow unauthenticated users to extract arbitrary files from the WinCC server if specially crafted packets are sent to the server,” the advisory explained.
The vulnerabilities disclosed this week affect Siemens’ SIMANTIC WinCC SCADA system and the related PCS7 distributed control system (DCS) and TIA Portal.
Siemens is one of the world’s largest producers of industrial control systems and has been a target for cyber-criminals many times before.
Last month ICS-CERT revealed details of a three-year BlackEnergy malware campaign targeting, among other products, Siemens’ WinCC.
The firm’s industrial control systems were also found to be affected by the notorious Heartbleed flaw discovered earlier this year.