Siemens Identifies Vulnerabilities in Scalance Direct Access Points and Sinamics Perfect Harmony Drives

Siemens has discovered several vulnerabilities in the Scalance W1750D direct access point. Several of the vulnerabilities are of high-severity, and one is rated as ‘critical’. The vulnerabilities can be exploited remotely and hackers can exploit them with even low skill levels.

A hacker could utilise the flaws to gain access to the W1750D device and execute arbitrary code within its underlying operating system. As a result, the hacker could gain access to sensitive information, perform administrative actions on the device, and expose session cookies for an administrative session.

The vulnerabilities are present in all versions prior to 8.4.0.1

CVE-2018-7084 is a critical command injection vulnerability in the web interface that could allow arbitrary system commands to be performed within the underlying operating system. If exploited, files could be copied, the configuration could be read, the device could be rebooted, and files could be written or deleted.  The vulnerability has been assigned a CVSSv3 base score of 9.8 out of 10.

CVE-2019-7083 is a high-severity information exposure vulnerability that could allow an attacker to access core dumps of previously crashed processes via the web interface of the device. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-16417 is a high-severity information exposure vulnerability that could allow an attacker to access recently cached configuration commands by sending a specially crafted URL to the web interface. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-7082 is a high-severity command injection vulnerability that could allow an authenticated administrative user to execute arbitrary commands on the underlying operating system. The vulnerability has been assigned a CVSSv3 base score of 7.2 out of 10.

CVE-2019-7064 is a medium-severity cross-site scripting vulnerability that could allow an attacker to perform administrative actions on a vulnerable device or expose admin session cookies by tricking an administrator into clicking a malicious hyperlink. The vulnerability has been assigned a CVSSv3 base score of 6.4 out of 10.

Siemens addressed all vulnerabilities in its version 8.4.0.1. All users are strongly advised to upgrade the operating system as soon as possible to correct the flaws.

If the update cannot be applied, the following workarounds will reduce the risk of the vulnerabilities being exploited:

  • Restrict access to the web-based management interface to the internal or VPN network.
  • Do not browse other websites and do not click on external links while being authenticated to the administrative web interface.
  • Apply appropriate strategies for mitigation.

Siemens Sinamics Perfect Harmony GH180 Fieldbus Network Vulnerability

Siemens has identified a high-severity vulnerability in its Sinamics Perfect Harmony GH180 Fieldbus Network.  The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

The flaw is present in the follow medium voltage converters

  • Siemens Sinamics Perfect Harmony GH180 with NXG I control and GH180 with NXG II control: MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -: The flaw affects all versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46

The flaw concerns improper input validation and could be exploited to trigger a denial-of-service condition by sending specially crafted packets to the device, causing the device to restart, which would compromise the availability of the affected system. Network access to the device would be required to exploit the vulnerability.

The vulnerability – CVE-2019-6574 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Disable the fieldbus parameter read/write functionality
  • Apply cell protection concept and implement defense in depth

Siemens Sinamics Perfect Harmony GH180 Drives NXG I and NXG II Vulnerability

A high-severity vulnerability has been identified in Siemens Sinamics Perfect Harmony GH180 Drives (NXG I and NXG II). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

If exploited, an individual with access to the Ethernet Modbus Interface could trigger a denial-of-service condition exceeding the number of available connections and compromise the availability of the affected system.

The vulnerability is present in all versions of GH180 with NXG I control and CH180 with NXG II control (MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -)

The vulnerability – CVE-2019-6578 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Install a protocol bridge that isolates the networks and eliminates direct connections to the Ethernet Modbus Interface.
  • Apply cell protection concept and implement defense in depth.