15 vulnerabilities discovered in Siemens industrial control management system
Fifteen vulnerabilities affecting Siemens SINEC network management system (NMS) were unveiled this week, according to new research published by security company Claroty.
The bugs affect all versions before V1.0 SP2 Update 1 and Siemens urged users to update their versions as soon as possible.
Noam Moshe, vulnerability researcher with Claroty, told The Record that the most concerning of the 15 vulnerabilities – which include denial-of-service attacks, credential leaks, and remote code execution in certain circumstances – revolve around CVE-2021-33723 and CVE-2021-33722.
Moshe noted that network management systems are used to centrally monitor, manage, and configure industrial networks with tens of thousands of devices. They are used widely in industrial automation across several industries, including manufacturing, oil and gas, electrical grids, and more.
“Most concerning is the chaining of CVE-2021-33723 and CVE-2021-33722, which creates a powerful exploit that could give an attacker elevated permissions on the SINEC system to NT AUTHORITY\SYSTEM, full system access,” Moshe said.
“From there, an attacker could remotely execute code and also compromise other Siemens devices on the network managed by SINEC.”
In a report on the vulnerabilities, Claroty showed how CVE-2021-33723 can be used to gain administrative access and CVE-2021-33722 can then be exploited to instigate a breach.
Siemens SINEC is an NMS built for OT networks and designed for centrally monitoring, managing, and configuring Siemens devices. The SINEC system is configured with all the necessary credentials for the devices in the network so it can communicate, monitor and eventually control the remote devices in the network.
Operators use SINEC to perform firmware upgrades or query the status of remote devices in the network from network switches to Siemens PLCs. It is also used to control and maintain other ICS related equipment.
“From an attacker’s perspective, conquering the NMS is key to getting a strong foothold in the network,” Moshe explained.
“This is because the attacker could use the ‘normal’ NMS functionality to take control over network devices by changing firmwares, shutting down remote devices, or even moving across the network while hacking the same remote devices that the SINEC system manages.”
Some of the other vulnerabilities discovered, like CVE-2021-33727, authenticate an attacker so they can download the profile of any user, allowing them to leak confidential information. CVE-2021-33733 gives attackers the ability to execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
Other industrial control security experts agreed with Moshe’s assessment that CVE-2021-33723 and CVE-2021-33722 are the most concerning of the 15 vulnerabilities.
Nozomi Networks’ Roya Gordon said the two bugs are worrying because they are the beginning of the “chain” of vulnerabilities in which successful exploitation of the two CVEs allows for the exploitation of the other 13 CVEs.
“I will say that whenever you see a blog announcing a vulnerability and it includes the vendor advisory, that’s a good sign. It means that there is a fix you can implement right away to prevent all possible exploits,” Gordon said.
“These vulnerabilities allow a threat actor to gain admin rights to the system and pretty much do whatever they want. They can even Live off the Land, which is a technique threat actors use to erase their steps, making it difficult for IR responders to trace their activity. This also makes it easier for the attacker to remain in the system undetected before even executing an attack, because they appear to be a privileged user. A threat actor with admin capabilities ‘lurking’ in an OT environment is very alarming.”
Ron Fabela, CTO of SynSaber, told The Record that the core vulnerabilities are in not only the control system applications themselves, but also with those subsystems that manage them.
If an adversary has network access to industrial control systems, they often do not need to exploit vulnerabilities in order to impact or disrupt operations, Fabela explained.
Fabela added that the NMS in this case could be a treasure trove of information and control, undoing network segmentation that may be in place and allowing deeper infiltration of the control system network.