Industry News

CISA Reveals ICS Hardware Vulnerabilities Across Siemens RUGGEDCOM ROX, SIMATIC, Rockwell Automation Equipment

20 July 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued several security advisories on Thursday addressing vulnerabilities in industrial control systems (ICS) typically used across critical infrastructure sectors. The agency revealed the presence of hardware vulnerabilities across Siemens and Rockwell Automation equipment. It also released notices of hardware vulnerabilities across various Siemens product lines, including SIMATIC MV500, SIMATIC CN 4100, RUGGEDCOM ROX, and SiPass Integrated.

CISA revealed the presence of cross-site scripting and authentication bypass vulnerabilities in the Rockwell Automation equipment deployed globally across the critical manufacturing sector. Rockwell Automation PowerMonitor 1000: V4.011 is affected by these vulnerabilities.  

“Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product”, CISA said in its advisory. “The PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product. The vulnerable pages do not require privileges to access and can be injected with code by an attacker, leading to a loss of data integrity.”

CISA advises users to take defensive steps to reduce the risk of exploiting this vulnerability. Users should upgrade to the latest version of V4.019, which has been patched to mitigate these issues. They must also isolate control system networks and remote devices from corporate networks by placing them behind firewalls.

In another advisory, CISA identified the presence of classic buffer overflows, cross-site request forgeries, inadequate encryption strength, risky cryptographic algorithms and many other vulnerabilities across Siemens RUGGEDCOM Rox products. “Successful exploitation of these vulnerabilities could allow an attacker to send a malformed HTTP packet” . 

All versions before V2.16.0 of Siemens RUGGEDCOM ROX are vulnerable to the use of a broken cryptographic algorithm, according to the advisory. “The exploitation of these vulnerabilities can cause certain functions to fail, achieve a man-in-the-middle attack, or arbitrary code execution,” it added.

Siemens reported this vulnerability to CISA. Also, Siemens recommends Octet-counted framing for experts to lower their risk of the buffer overflow vulnerability and update their products to the latest patch, as the vulnerability was fixed in V2.16.0 or later versions.

CISA also revealed that Siemens SIMATIC MV500 series included exposure of sensitive information, missing release of memory after effective lifetime, injection, inadequate encryption strength, and improper input validation vulnerabilities. The agency said that exploitation of these vulnerabilities could allow an attacker to read memory contents, disclose information, or cause a denial-of-service condition.

“An information leak was found in NFS over RDMA in net/sunrpc/xprtrdma/rpc_rdma.c in the Linux kernel. This flaw allows an attacker with normal user privileges to leak kernel information,” said CISA in its notice. Siemens released an update for the SIMATIC MV500 series family and recommends updating to the latest version. It also identified specific workarounds and mitigations that users can apply to reduce risk, including not accessing links from untrusted sources and only from trusted IP addresses.

CISA reported that Siemens’ SIMATIC CN 4100 equipment could expose sensitive information due to improper access control and incorrect permissions. The exploitation of this vulnerability could allow an attacker to gain access to sensitive information and bypass network isolation.

Deployed across multiple critical infrastructure sectors, CISA said in its advisory that “Affected devices consist of improper access controls in the configuration files that could lead to privilege escalation. An attacker could gain admin access with this vulnerability, leading to complete device control.” Michael Klassen and Martin Floeck of the BASF Security Team reported these vulnerabilities to Siemens.

Siemens called upon users to update to V2.5 or a later version. Siemens advises implementing suitable mechanisms to safeguard network access to devices as a fundamental security measure. To ensure secure operation of the devices within an IT environment, it is recommended to configure the environment in accordance with Siemens’ operational guidelines for industrial security and adhere to the recommendations outlined in the product manuals.

Siemens’ SiPass Integrated equipment was found to contain improper input validation vulnerability. The exploitation of this vulnerability could allow an attacker to disclose sensitive information, execute code in the context of the current process, or crash the application, causing a denial-of-service condition. Siemens has released update V2.90.3.8 for SiPass integrated and recommends updating to the latest version.

On the most recent set of CISA ICS advisories, was Honeywell’s Experion PKS, LX, and PlantCruise systems. Several hardware vulnerabilities were discovered, including heap-based buffer overflow, stack-based buffer overflow, out-of-bounds write, uncontrolled resource consumption, improper output encoding or escaping, deserialization of untrusted data, improper input validation, and incorrect comparison. Once again, CISA called upon users to update to the latest versions of the affected equipment.