Tenable Research Discloses Critical Vulnerability in Siemens STEP 7 (CVE-2019-10915)
Tenable Research has discovered a critical vulnerability in Siemens TIA Portal (also referenced as STEP 7) that would allow an attacker to perform administrative actions. Siemens has released an update and security advisory.
- What you need to know: Tenable Research has disclosed an unauthenticated RCE in Siemens SIMATIC STEP 7 V15.1.
- What’s the attack vector? Authentication bypass in the TIA Administrator server through websockets on the node.js server.
- What’s the business impact? Attackers could perform any administrative actions on the TIA Portal, including elevating privileges or sending malicious firmware updates.
- What’s the solution? Siemens has released an update and security advisory for this vulnerability.
Background
Siemens has released an update and security advisory for CVE-2019-10915, an unauthenticated remote command execution (RCE) vulnerability in the TIA Portal (also referenced as STEP 7) discovered by Tenable Researcher Joseph Bingham.
SIMATIC STEP 7 Professional V15.1 is the programming software for the controller families S7-300, S7-400, C7 and WinAC. According to Siemens, the software is used for automation tasks like “configuring hardware, establishing communications, programming, testing, commissioning and service, documentation and archiving, or operational and/or diagnostic functions.” It is deployed in sectors including manufacturing, utilities and transportation.
Analysis
The vulnerability is an authentication bypass in the TIA Administrator server. An attacker could execute arbitrary application commands through websockets on the node.js server which is externally exposed by default.
By exploiting this vulnerability, an unauthenticated remote attacker could perform actions on TIA Portal, such as elevating privileges, changing proxy settings, or specifying malicious firmware updates. This vulnerability could be a critical part of a tailored attack against operational technology (OT) or industrial control systems (ICS), similar to Triton, Duqu and Stuxnet. Bingham explains how this vulnerability could be leveraged in an attack like this in his Medium blog post.
Business impact
An attacker could compromise a TIA Portal system and use their access to add malicious code to adjacent industrial control systems. Attackers could also use the access gained through exploitation of this vulnerability to steal sensitive data on existing OT setups to further progress and plan targeted attacks on critical infrastructure.
In a worst case scenario, a vulnerable TIA Portal system can be used as a stepping stone in an attack causing catastrophic damage to OT equipment, disrupting critical operations or conducting cyber espionage campaigns.
Solution
Users should confirm that they have updated to the latest version of Siemens STEP 7.
Additional information
- Visit the Tenable Tech Blog on Medium to read researcher Joseph Binghams’s in-depth story about the team’s work researching ICS security.
- Siemens Security Advisory
- Tenable Advisory
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
Related Articles
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
Cybersecurity Snapshot: CISA Warns of Global Spear-Phishing Threat, While OWASP Releases AI Security Resources
November 8, 2024CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.
Context Is King: From Vulnerability Management to Exposure Management
November 7, 2024Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning