CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
93.7%
ICS-CERT originally released Advisory ICSA-11-343-01P on the US-CERT secure portal on December 09, 2011. This web page release was delayed to allow users time to download and install the update.
Researcher Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center (ICST) has identified two vulnerabilities affecting ActiveX components in the Siemens Tecnomatix FactoryLink application. The report included buffer overflow and data corruption vulnerabilities.http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055
ICS-CERT has coordinated with Siemens; Siemens has released a patch that addresses the identified vulnerabilities. ICS-CERT has confirmed that the Siemens patch resolves the reported vulnerabilities.
The following Siemens Tecnomatix FactoryLink versions are affected:
Successful exploitation of the reported vulnerabilities could allow an attacker to perform malicious activities including denial of service and arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Siemens Tecnomatix FactoryLink software is used for monitoring and controlling industrial processes. FactoryLink is used to build applications such as human-machine interface systems.
FactoryLink is implemented across a variety of industrial processes including oil and gas, chemicals, food and beverage, and building automation.
Siemens has announced that FactoryLink is now considered a mature product and will not offer FactoryLink after December 2012.Important Information for Siemens FactoryLink Customers. (July 2007) Retrieved November 21, 2011, from FactoryLink Supervisory Control and Data Acquisition: Siemens PLM Software: http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml, website last accessed January 04, 2012.
This vulnerability is exploited by inputting a long string to a specific parameter causing a buffer overflow that could allow the execution of arbitrary code.
CVE-2011-4055 has been assigned to this vulnerability. Siemens’ assessment of the vulnerability using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 7.7.
This vulnerability is remotely exploitable. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit.
No publicly known exploits specifically target this vulnerability.
An attacker with moderate skill level could exploit this vulnerability. Social engineering is required to convince the user to go to a manipulated website. This decreases the likelihood of a successful exploit.
This vulnerability is exploited by inputting arbitrary data, causing a file save to any specified location on the target system.
CVE-2011-4056e has been assigned to this vulnerability. Siemens’ assessment of the vulnerability using the CVSSf Version 2.0 calculator rates an Overall CVSS Score of 7.7.
This vulnerability is remotely exploitable. Social engineering may be required to execute a remote exploit via a manipulated file or web page.
No publicly known exploits specifically target this vulnerability.
An attacker with moderate skill level could exploit the vulnerabilities.
Siemens has released a patch to its customers to address these vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should deploy the Siemens patch available at: http://www.usdata.com/sea/factorylink/en/p_nav5.asp
For more information, please see Siemens’ Security Advisory announcement.
In addition to the patch released by Siemens, Microsoft has released a kill bit to address the ActiveX vulnerabilities. Customers of vulnerable versions of Siemens Tecnomatix FactoryLink should install the Microsoft update referenced in the Microsoft Security Advisory 2562937.
ICS-CERT encourages asset owners to take the following additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including_ Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies._
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
nvd.nist.gov/cvss.cfm
technet.microsoft.com/en-us/security/advisory/2562937
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4055
www.siemens.com/corporate-technology/pool/de/forschungsfelder/Siemens_Security_Advisory_SSA-850510.pdf
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-11-343-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20FactoryLink%20Multiple%20ActiveX%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-11-343-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-11-343-01&title=Siemens%20FactoryLink%20Multiple%20ActiveX%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-11-343-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20FactoryLink%20Multiple%20ActiveX%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-11-343-01