Siemens Patches Vulnerabilities in Network Management System15 Flaws Can Be Exploited for DoS and RCE Attacks, Credential Leaks
Manufacturing giant Siemens is warning its industrial hardware networking system users about multiple vulnerabilities including a bug that could allow a remote attacker to disrupt production.
Users of the SINEC NMS should update to version V1.0 SP2 or newer to prevent exploitation of 15 vulnerabilities, Siemens says. As an alternative, customers could just restrict access to affected systems to trusted IP addresses only. The most dangerous vulnerabilities already require the attacker to be authenticated on the system.
Network management systems hold "powerful positions" on an OT network, allowing administrators to discover assets, understand their connections and dependencies and manage them, says Noam Moshe, a vulnerability researcher with industrial cybersecurity company Claroty.
SINEC is configured with all the necessary credentials so it can communicate, monitor and control the remote devices in the network, Moshe says.
For an attacker intending to use "living off the land" tactics - using legitimate tools and functions in the network for malicious purposes - having control of the SINEC allows them to:
- Hold the key to a network map of all connected devices;
- Move laterally as SINEC access allows them to manage devices on the network;
- Escalate their privileges, since SINEC also gives them access to admin credentials and keys to managed devices.
Two vulnerabilities, tracked as CVE-2021-33723 and CVE-2021-33722, can be chained to allow an attacker to remotely execute code on the targeted system, says Moshe. While CVE-2021-33723 allows attackers to escalate privileges, CVE-2021-33722 enables them to carry out a path-traversal attack and execute code remotely, he says.
This account takeover vulnerability with a CVSS score of 8.8 gives any authenticated user access to functionalities that are meant to be restricted to admins.
"The SINEC permission model is based on group membership; only users of corresponding groups are able to perform certain actions. In general, whenever a user tries to perform an action involving other users, such as creating another user account, viewing another user's account details and/or changing them, the server requires the user who performed the action to be a member of the administrative group that is allowed to perform those actions," the Claroty research says.
That means that while no user can change anyone else's account details without undergoing checks, they can change their own account details, such as their email ID and password.
"A user can simply supply a JSON payload containing information about their account, and the server will change the view model of the given user, and the account details," the research says.
Moshe says there are two problems with this route. "First, since the user attributes are updated directly through this request, we can supply certain fields that the server did not intend to change, like the user password. By simply supplying a password variable in our request, we change our user's password," he says.
The system does not verify whether a user editing an account is actually the user themselves or not, he says. So, "by supplying an ID and username of the administrative account, we can simply change its password, gaining access to the account," he says.
This is a remote execution vulnerability with a CVSS score of 7.2. "As part of SINEC’s business logic, an administrator can create containers, which are a bundle of files ranging from compiled programs to text files and graphics. The administrator can use these containers and push them to any managed devices they choose. Our vulnerability involves this functionality, specifically the option to export and import those containers to the SINEC platform," the research says.
Claroty says this flaw could be abused to write arbitrary files on the host's filesystem. The company was also able to conduct a series of moves, including dropping a webshell, showing that the vulnerability would allow an attacker to execute arbitrary commands.
The Other Vulnerabilities
CVE-2021-33724, CVE-2021-33725 and CVE-2021-33726, with CVSS scores of 6.5, 4.9 and 6.5, respectively, are all path traversal vulnerabilities. Exploiting these flaws may enable attackers to delete an arbitrary file or directory under a user-controlled path.
CVE-2021-33727, with a CVSS score of 6.5, exposes sensitive information to an unauthorized actor. An authenticated attacker can exploit this flaw to download user profiles and leak confidential information.
CVE-2021-33728, with a CVSS score of 7.2, allows deserialization of untrusted data. Deserializing untrusted data can enable an attacker to control the state or the flow of the execution.
CVE-2021-33729, with a CVSS score of 8.8, is an SQL injection vulnerability that allows an authenticated attacker to import firmware containers to an affected system and execute arbitrary commands in the local database.
The vulnerabilities tracked as CVE-2021-33730, CVE-2021-33731, CVE-2021-33732, CVE-2021-33733, CVE-2021-33734, CVE-2021-33735 and CVE-2021-33736 all have CVSS scores of 7.2. They are all SQL injection vulnerabilities that allow a privileged authenticated attacker to "execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."