Siemens SIMATIC WinCC Flexible Multiple Vulnerabilities


Description   Multiple vulnerabilities have been reported in Siemens SIMATIC WinCC Flexible, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.
1) An input sanitisation error in Miniweb.exe when handling HTTP GET requests can be exploited to download arbitrary files via directory traversal attacks sent in a web request.
2) An input validation error in Miniweb.exe when handling HTTP POST requests can be exploited to crash the process via specially crafted content sent in a web request.
3) An error in the HmiLoad.exe utility when processing network requests can be exploited to cause a stack-based buffer overflow resulting in a crash via a specially crafted packet sent to TCP port 2308.
4) An error in Miniweb.exe when handling certain web requests can be exploited to disclose the contents of arbitrary memory via a specially crafted URL.
5) An error in the HmiLoad.exe utility when processing network requests can be exploited to download and upload arbitrary files via directory traversal attacks sent to TCP port 2308.
6) An unspecified error when processing certain project files can be exploited to potentially execute arbitrary code.
7) Certain input passed to unspecified parameters in the HMI web server is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities #1 - #3 are confirmed in version 2008 SP2 Upd13 (K01.03.02.13_01.02.00.01). Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
Siemens SIMATIC WinCC Flexible 2008
     
Solution   Update to version 2008 SP3 which reportedly fixes vulnerabilities #4, #5, and #7.Apply fixes (please see the vendor's advisory for details).
     
CVE   CVE-2011-4879
CVE-2011-4878
CVE-2011-4877
CVE-2011-4876
CVE-2011-4875
CVE-2011-4514
CVE-2011-4513
CVE-2011-4512
CVE-2011-4511
CVE-2011-4510
CVE-2011-4509
CVE-2011-4508
     
References   Luigi Auriemma:
http://aluigi.altervista.org/adv/winccflex_1-adv.txt
Siemens:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2011-11-30 

 Target Type 
Server 

 Possible exploit 
Remote