SIMATIC Human-Machine Interface Panels to Address a High-Severity Vulnerability

siemens

To fix a high-severity vulnerability that can be remotely abused to gain complete control of a computer, Siemens has released patches for some of its SIMATIC human-machine interface (HMI) panels.

SIMATIC HMI panels are designed for operator control and system and plant tracking purposes.
Ta-Lun Yen, a researcher at the IIoT security-focused joint venture between Trend Micro and Moxa, TXOne Networks, discovered that these devices are afflicted by a missing Telnet service authentication problem. Affected Telnet-enabled systems do not need any protection, enabling a remote intruder to access a computer in full, Siemens said.

The German industrial giant said the weakness (CVE-2020-15798) had an effect on SIMATIC HMI Comfort Panels and SIMATIC HMI KTP Mobile Panels, like SIPLUS devices designed for severe conditions. In v16 Version 3a and later, updates are included. Both past versions are impaired.

Organizations should uninstall Telnet to avoid possible attacks that abuse this vulnerability, in addition to downloading the available patches. Siemens pointed out that on the affected computers, Telnet is not allowed by default.

TXOne’s Yen told that several devices that can be attacked from the Internet have not been found, but noted that there might be certain configurations that make them available from the intranet.

An attacker could exploit the flaw and use the HMI as a foothold in the targeted network, according to the researcher. The machines run Windows CE and he says there is no endpoint security available.

He also assumes that an attacker might use the infected HMI computer to enter or disable other devices, such as sensors and PLCs, by giving them “weird values.” In order to avoid raising doubt, an attacker could also show false details in the HMI when executing other disruptive activities that could harm an industrial enterprise.

Yen said that the vulnerability can also be leveraged to brick a system to avoid the user from communicating with factory processes briefly. Abuse of the HMI for cryptocurrency mining is also probable, however this scenario is doubtful as it is economically unfeasible, the researcher stated.

An alert to notify industrial organisations of the danger posed by this vulnerability has already been released by the U.S. Cybersecurity and Infrastructure Protection Agency (CISA). In the coming time, Trend Micro’s Zero Day Initiative (ZDI), which helped organise disclosure along with CISA, will also publish an advisory on this vulnerability.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.