Siemens has released an out-of-band update for the SIMANTIC WinCC SCADA system, which is integrated in its PCS7 distributed control system and its TIA Portal, engineering software for SIMATIC products that is deployed across several industrial sectors primarily in the US and Europe.
The update solves two critical bugs: CVE-2014-8551, which could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server, and CVE-2014-8552, which could allow unauthenticated users to extract arbitrary files from the WinCC server (also via a specially crafted packet).
According to a security advisory published by the US ICS-CERT, the bugs are easily exploitable by low skill attackers. In fact, they say that “indicators exist that this vulnerability may have been exploited during a recent campaign.” Possibly this one?
“Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation,” they concluded.
Siemens is working on updates for other affected products, which should be released soon. In the meantime, customers should employ some mitigations like running WinCC server and engineering stations within a trusted network, making communication between them encrypted, restrict access to the WinCC server to trusted entities, and apply up-to-date application whitelisting software and virus scanners.