Exploit the possiblities

Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution

Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution
Posted Nov 14, 2017
Site sec-consult.com

Siemens SICAM RTUs SM-2556 COM modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00) suffer from authentication bypass, code execution, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, code execution, xss
advisories | CVE-2017-12737, CVE-2017-12738, CVE-2017-12739
MD5 | 3283852a55a15196693165f91cac0937

Siemens SICAM RTUs SM-2556 COM Modules XSS / Bypass / Code Execution

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20171114-0 >
=======================================================================
title: Authentication bypass, cross-site scripting & code
execution
product: Siemens SICAM RTUs SM-2556 COM Modules
(firmware variants ENOS00, ERAC00, ETA2, ETLS00,
MODi00 and DNPi00
vulnerable version: FW 1549 Revision 07
fixed version: none, see Workaround section below
CVE number: CVE-2017-12737 (authentication bypass)
CVE-2017-12738 (XSS)
CVE-2017-12739 (web server)
impact: critical
homepage: www.siemens.com
found: 2017-08-17
by: SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Siemens is a global powerhouse focusing on the areas of electrification,
automation and digitalization. One of the world's largest producers of
energy-efficient, resource-saving technologies, Siemens is a leading supplier
of systems for power generation and transmission as well as medical diagnosis."

Source: https://www.siemens.com/global/en/home/company/about.html


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved. The device must not be accessible from
untrusted networks.


Vulnerability overview/description:
-----------------------------------
1) Authentication Bypass (client-side "authentication" enforcement)
The web interface (TCP port 80) suffers from an authentication bypass
vulnerability that allows unauthenticated attackers to access arbitray
functionality and information (i.e. password lists) available through
the webserver.


2) Reflected Cross-Site Scripting
The web interface provides a "ping" functionality. This form is
vulnerable to reflected cross-site-scripting because of missing input
handling and output encoding.


3) Outdated Webserver (GoAhead)
The used webserver version contains known weaknesses.


Proof of concept:
-----------------
1) Authentication Bypass
Use a browser which has JavaScript disabled ("Authentication" checks are
performed client-side) and open legitimate URLs directly.

Examples:
http://<hostname>/start.asp
http://<hostname>/pwliste.asp
http://<hostname>/goform/webforms_readmem?start_addr=0&length=100


2) Reflected Cross-Site Scripting
All parameters in "webforms_ping" are vulnerable to reflected XSS:
http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1


3) Outdated Webserver
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)
This version has known vulnerabilities:

http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp



Vulnerable / tested versions:
-----------------------------
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,
ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)


Vendor contact timeline:
------------------------
2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the "affected device is out of service"
and provides workaround (disable webserver). They are
"still assessing the next steps".
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us
posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.


Solution:
---------
No firmware update is available as the device is no longer supported by
the vendor.


Workaround:
-----------
According to the vendor the webserver can be disabled to mitigate all
the vulnerabilities documented in this advisory.
The webserver is optional and only used for commissioning and debugging
purposes.

The vendor published the following document for further information:
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Twitter: https://twitter.com/sec_consult


EOF SEC Consult Vulnerability Lab / @2017

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close