Siemens SICAM RTUs SM-2556 COM modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00) suffer from authentication bypass, code execution, and cross site scripting vulnerabilities.
=======================================================================
title: Authentication bypass, cross-site scripting & code
execution
product: Siemens SICAM RTUs SM-2556 COM Modules
(firmware variants ENOS00, ERAC00, ETA2, ETLS00,
MODi00 and DNPi00
vulnerable version: FW 1549 Revision 07
fixed version: none, see Workaround section below
CVE number: CVE-2017-12737 (authentication bypass)
CVE-2017-12738 (XSS)
CVE-2017-12739 (web server)
impact: critical
homepage: www.siemens.com
found: 2017-08-17
by: SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Siemens is a global powerhouse focusing on the areas of electrification,
automation and digitalization. One of the world's largest producers of
energy-efficient, resource-saving technologies, Siemens is a leading supplier
of systems for power generation and transmission as well as medical diagnosis."
Source: https://www.siemens.com/global/en/home/company/about.html
Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved. The device must not be accessible from
untrusted networks.
Vulnerability overview/description:
-----------------------------------
1) Authentication Bypass (client-side "authentication" enforcement)
The web interface (TCP port 80) suffers from an authentication bypass
vulnerability that allows unauthenticated attackers to access arbitray
functionality and information (i.e. password lists) available through
the webserver.
2) Reflected Cross-Site Scripting
The web interface provides a "ping" functionality. This form is
vulnerable to reflected cross-site-scripting because of missing input
handling and output encoding.
3) Outdated Webserver (GoAhead)
The used webserver version contains known weaknesses.
Proof of concept:
-----------------
1) Authentication Bypass
Use a browser which has JavaScript disabled ("Authentication" checks are
performed client-side) and open legitimate URLs directly.
Examples:
http://<hostname>/start.asp
http://<hostname>/pwliste.asp
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100
2) Reflected Cross-Site Scripting
All parameters in "webforms_ping" are vulnerable to reflected XSS:
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1
3) Outdated Webserver
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)
This version has known vulnerabilities:
http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
Vulnerable / tested versions:
-----------------------------
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,
ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)
Vendor contact timeline:
------------------------
2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the "affected device is out of service"
and provides workaround (disable webserver). They are
"still assessing the next steps".
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us
posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.
Solution:
---------
No firmware update is available as the device is no longer supported by
the vendor.
# 0day.today [2018-02-16] #