Five Severe Vulnerabilities Fixed in Siemens' SIMATIC WinCC SCADA System

Siemens has issued an update to its SIMATIC WinCC SCADA system due to five severe vulnerabilities, the company said in an advisory. Impacted products include SIMATIC WinCC before version 7.3, and SIMATIC PCS7 before version 8.1.

“The most severe of these vulnerabilities could allow privilege escalation in the WinCC Project administration application under certain conditions,” the advisory said.

The SIMATIC WinCC is a SCADA system mostly used on a large scale in infrastructure and industry for controlling and monitoring physical processes. The five vulnerabilities are listed from CVE-2014-4682 to CVE-2014-4686 and were fixed in SIMATIC WinCC v7.3.

Details on the five vulnerabilities are as follows:

1. CVE-2014-4682 – An attacker could gain unauthenticated access to sensitive information by sending crafted HTTP requests to ports 80/tpc and 443/tcp from the WinCC WebNavigator server.

2. CVE-2014-4683 – The attacker can escalate privileges in the WinCC by exploiting the first vulnerability.

3. CVE-2014-4684 – An authenticated attacker could escalate privileges in the SIMATIC WinCC database server by sending a crafted command to port 1433/tcp to the server database.

4. CVE-2014-4685 – Limited privilege escalation can be performed by a local user by exploiting the access permissions on system objects.

5. CVE-2014-4686 – An attacker could gain a hardcoded encryption key and perform privilege escalation within the WinCC Project admin application if the network communication of a legitimate user on port 1030/tcp is captured.

To exploit vulnerabilities 2 and 3, an attacker must be authenticated. Also local system access is required to exploit vulnerability 4.

The prime condition for an attacker to exploit the other vulnerabilities is to possess network access to the WinCC server.