Siemens has issued several patches for a series of critical vulnerabilities in its products. Security problems were detected in ICS components — development tools and HMI. More than ten vulnerabilities were eliminated. Insecure password storage, buffer overflow, and possibility of creating bookmarks in the SCADA project files were among them.
The updates deal with Siemens SIMATIC PC7, WinCC and TIA Portal and focus on elimination of security problems detected by the experts of Positive Technologies. It is worth reminding that WinCC Hardening Guides, which can be used as technical security standards for system configuration or as security checklists for audit, had been earlier published in the blog of Positive Technologies Research Center.
Siemens thanked the specialists of Positive Technologies, namely Sergey Bobrov, Sergey Gordeychik, Gleb Gritsay, Roman Ilin, Ilya Karpov, Dmitry Nagibin, Alexey Osipov, Artyom Chaykin and Timur Yunusov. Moreover, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) highly rated the research performed by our experts and issued the relevant advisory.
Several new attack vectors eliminated by Siemens were presented by the experts of Positive Technologies at the conference Black Hat Europe that took place in Amsterdam in the middle of March.
\”Elimination of these vulnerabilities results from the research of ICS components security performed by our research center. Design of critical elements is impossible if untrusted or insecure components are used in production systems. Our aim is to increase the security level of ICS systems, so we\’ll keep on working in this direction,\” said Sergey Gordeychik, the Chief Technical Officer.