Sprecher Automation informs about detailing several severe and also critical security vulnerabilities in different versions of the Wibu Systems CodeMeter User Runtime software.


The CodeMeter User Runtime Software is used by SPRECON-V460 for its software license protection.
The issues were addressed by Wibu Systems and a new version 7.10 was made available by Wibu Systems, in which these issues were resolved.

The CodeMeter User Runtime software is used for dongle and soft licensing by the SPRECON-V460 Editor, SPRECON-V460 Runtime, SPRECON-V460 Analyzer, SPRECON-V460 Web Server, SPRECON-V460 Logic/Straton Runtime and the Logic/Straton Workbench. This software is part of the installation of these software products, even when no dongle license is used.

SPRECON-V460 versions 8.00 and higher exclusively use the CodeMeter User Runtime software from Wibu Systems and are affected by these vulnerabilities.
SPRECON-V460 versions 8.00 and lower may use the CodeMeter User Runtime software from Wibu Systems and might be affected by these vulnerabilities.
The SPRECON-V460 Analyzer exclusively uses the CodeMeter User Runtime software from Wibu Systems and is affected by these issues.

Wibu Systems provides an updated version 7.10 of the CodeMeter User Runtime software, which addresses the reported vulnerabilities.
The “CodeMeter User Runtime for Windows” software can be downloaded via this link:
https://www.wibu.com/support/user/user-software.html

For more details, see attached vulnerability announcement for SPRECON-V460

• SPRECON-E engineering data as well as device parameter files need to be stored with proper access restrictions in place in order to prevent unauthorized personal from access
• Before creating PDLs and downloading them to the devices, the configuration data should be checked for any unwanted content
• Engineering workstations as well as SPRECON devices themselves are suggested to only be operated in closed and properly secured environments as they usually carry sensitive data and operate critical processes.

SPRECON-E: not affected
SPRECON-V: affected (Editor)

SPRECON-E: not affected
SPRECON-V: not affected

• https://armis.com/urgent11/
• https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
• https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ipnet-faq/

While Sprecher Automation is applying Belden Hirschmann Products in many automation systems, it is important to mention that these products might by affected by VxWorks vulnerabilities.
Belden Hirschmann recommends to close these vulnerabilities by updating firmware and has released a proper security announcement within its Belden Security Bulletin (attached).

•   Belden Security Bulletin

SPRECON-E: partly affected
SPRECON-V: not affected

Netflix discovered a critical vulnerability based on the combination of TCP Selective Acknowledgement (SACK) and TCP Minimum Segment Size (MSS) in Linux kernels. The sending of specific sequences of TCP SACK packets with low MSS can cause an Integer-Overflow, leading to kernel-panic. Hence, a denial-of-service can be the consequence leasind to potential unavailability of the device.
An analysis for SPRECON-E systems lead to the result, that only FALCON (PU244x) and T3 MC33/34 product series are affected by the following CVEs:

• CVE-2019-11477 (CVSS 3.0 Base Score 7.5)
• CVE-2019-11478 (CVSS 3.0 Base Score 7.5)
• CVE-2019-11479 (CVSS 3.0 Base Score 7.5)

Recommendation
By implementing the follwing firewall rule to SPRECON devices, the risk can be mitigated as packets with low MSS will be dropped:
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Additionally, Sprecher Automation is working towards firmware fixes that close this vulnerability directly.

Nevertheless the general recommendation is to operate SPRECON control and protection devices only within isolated process networks, where proper network segmentation is in place. On potential external firewalls that build the zone boundary, similar measures for filtering packets with low MSS should be implemented. By doing so, the risk of this vulnerability can drastically be reduced.

Further details:
https://www.cert.at/warnings/all/20190618.html
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

SPRECON-E: not affected
SPRECON-V: not affected

SPRECON-E: affected
SPRECON-V: not affected

The web interface (“SPRECON Webserver”) of the SPRECON components suffers from a path traversal vulnerability. A user which is authenticated on the web interface can download files with the permissions of the webserver (www-data). Files like "/etc/shadow" are not readable for the webserver, this is due to SPRECON’s defence-in-depth architecture.

Limitation:

• This vulnerability is only available if EDIR function is respectively was in use on the respective device. Also, a potential attacker needs valid authentication credentials (i.e. username + password) for the web interface.

Solution: 

• Sprecher Automation fixed the vulnerability with firmware version 8.62 (and all subsequent releases). For longterm versions, the releases 8.52g and 8.56f will fix this vulnerability.

Workaround:

• If access control (RBAC) is activated, it is not possible to exploit this vulnerability without having valid user credentials. It is strongly recommended to always activate user authentication on all configuration interfaces. Also, network segmentation is recommended in order to protect network access to IEDs respectively their interfaces.

CVSSv2 Base Score: 2.1
CVSSv3 Base Score: 2.6

More details can be found in the attached advisory.

Acknowledgements:
Thanks to Mr. Erik Huemer from Austrian Energy CERT / CERT.at / NIC.at

Authenticated path traversal Vulnerability

SPRECON-E: not affected
SPRECON-V: affected

The WibuKey software is used for dongle licensing by the SPRECON-V460 editor, SPRECON-V460 runtime, SPRECON-V460 web server, SPRECON-V460 logic runtime, straton runtime, SPRECON-V460 logic workbench and the straton workbench, and for some versions is part of the installation of these software products.

SPRECON-V460 versions 8.00 and higher exclusively use the CodeMeter Software from Wibu Systems and are not affected by these vulnerabilities.

The SPRECON-V460 Analyzer exclusively uses the CodeMeter Software from Wibu Systems and is not affected by these issues.

Affected Components:

• Systems, where the SPRECON-V460 editor, SPRECON-V460 runtime, SPRECON-V460 web server, SPRECON-V460 logic runtime, straton runtime, SPRECON-V460 logic workbench, or straton workbench have been installed, may contain an installation of the WibuKey Runtime software and are potentially affected.
• Systems, where the WibuKey Runtime software has been installed manually, as a WibuKey Network Server for hosting a WibuKey network dongle, are potentially affected.
• Systems, that use green WibuKey dongles (centronics parallel interface, USB, other) require the WibuKey Software.
• Systems, that use silver CodeMeter dongles, use the CodeMeter Runtime software and do not require the WibuKey Software.

Note: The WibuKey Runtime software and / or WibuKey Dongles may also be used by software products from other vendors

Affected Version: 

• WibuKey Software versions 6.40 and older are affected
• SPRECON-V460 products versions 7.20 and older are affected
• SPRECON-V460 products versions 7.50 and 7.60 may be affected if the WibuKey software has been installed manually, to support a WibuKey dongle
• straton products versions 9.2 and older are affected

Patch Availability:

Wibu Systems provides an updated version 6.50b – build 3323 of the WibuKey software that addresses the reported vulnerabilities.
Earlier in December 2018, Wibu Systems provided an updated version 6.50 of the WibuKey software that also addresses the reported vulnerabilities but contains interoperability issues with SPRECON-V460 products and parallel dongles.
The “WibuKey Runtime for Windows” software version 6.50b can be downloaded following this link: https://www.wibu.com/support/user/downloads-user-software.htmlhttps://www.wibu.com/support/user/downloads-user-software.html

Known Issues:

The version 6.50 build 3307 of the WibuKey Runtime for Windows software has a known issue with parallel WibuKey dongles. On start-up of the SPRECON-V460 editor or the SPRECON-V460 runtime, an error message appears stating “Licensing failed: Function = WkbSelect2() The specified parameter is invalid (4)”. Acknowledging the error allows a normal start of the application with the license intact.

Mitigation:

With versions SPRECON-V460 7.20 and older, the WibuKey Runtime software is installed automatically by the setup procedure, in order to be able to use WibuKey dongles without requiring a manual installation of this software.

When the installed product uses either a CodeMeter Dongle or a soft license, the WibuKey Runtime software is not needed and can be uninstalled through the Windows control panel. Uninstalling the WibuKey Runtime software removes the vulnerabilities.

When the installed product uses a WibuKey Dongle, uninstalling the WibuKey Runtime software removes the vulnerabilities but also fails to start the product with a valid Dongle License. In this case there is no mitigation and the updated version must be installed.

With versions SPRECON-V460 7.50 and 7.60, the WibuKey Runtime software is no longer installed automatically as part of the setup procedure but is delivered together with the installation media. It is therefore possible, that the WibuKey Runtime software has been installed manually at some point but may not, or may no longer, be needed.

General Recommendations:

Sprecher Automation generally recommends restricting local physical access to authorized people only. Network access shall be limit to communication that is absolutely required.

Using VLANs and firewalls to segment network traffic and create zones and conduits, reduces exposure of vulnerable systems and allows access to a WibuKey WkLAN Server to be restricted to only those systems that are in fact using a network dongle. It is recommended that systems hosting a WibuKey WkLAN Server are not facing external networks.

Sprecher Automation further recommends using application whitelisting to restrict execution of applications to only those applications that are required for the operation of the system.

Details: see attachment

SPRECON-E: not affected
SPRECON-V: not affected

Cisco published several vulnerabilities for their ASA products:

• CVE-2018-15397: Cisco ASA Traffic Flow Confidentiality Processing Bug Lets Remote Users Cause the Target System to Crash
• CVE-2018-15399: Cisco ASA Bug in TCP Syslog Module Lets Remote Users Cause the Target Service to Crash
• CVE-2018-15383: Cisco ASA DMA Access Bug Lets Remote Users Cause the Target Service to Restart
• CVE-2018-15454: Cisco ASA 5500-X Session Initiation Protocol Bug Lets Remote Users Deny Service
• CVE-2018-15398: Cisco ASA Lets Remote Users Bypass the Per-User-Override Firewall Feature

The vulnerabilities CVE-2018-15397, CVE-2018-15399, CVE-2018-15454, and CVE-2018-15383 could lead to denial of service (DoS) conditions under certain circumstances, while two of them are categorised with criticality "High" by Cisco.

CVE-2018-15398 enables to bypass the Access Control List (ACL) Feature unter certain circumstances, which could enable the acess to protected services behing the firewall. Cisco categorizes this vulnerability with "Medium".

Firmware-Updates are recommended by Cisco.

Affected Products:

Depending on the concrete CVE, Cisco ASA and for some vulnerabilities also Cisco Firepower Threat Defence.

Further Details:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-ipsec-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-syslog-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos

SPRECON-E: not affected
SPRECON-V: not affected

Meinberg fixed vulnerabilities both in the used NTP implementation as well as in OpenSSL with a new firmware release.

In detail, the following vulnerabilities are covered:

• NTP:
  • CVE-2018-12327 (CVSSv3 Score: 9.8),
  • CVE-2018-7170 (CVSSv3 Score: 6.5)
• OpenSSL:
  • CVE-2018-0732 (CVSSv3 Score: 7.5)

The NTP-Vulnerability CVE-2018-12327 is categorized to be critical as it can lead to remote code execution under certain circumstances. There is no information from Meinberg in which situations this could be relevant in practice.

Meinberg strongly recommends to update LANTIME versions 5 and 6 to the patched Version 6.24.05.

Affected Products:
LANTIME M-series
(M100, M200, M300, M400, M600, M900)

IMS-series
(M500, M1000, M1000S, M3000, M3000S, M4000)

SyncFire
(SF1000 / SF1100)

Further Details:

https://www.meinbergglobal.com/english/sw/mbgsecurityadvisory.htm
https://nvd.nist.gov/vuln/detail/CVE-2018-12327 https://nvd.nist.gov/vuln/detail/CVE-2018-7170 support.ntp.org/bin/view/Main/SecurityNotice https://nvd.nist.gov/vuln/detail/CVE-2018-0732 https://www.openssl.org/news/secadv/20180612.txt

SPRECON-E: partly affected
SPRECON-V: not affected

SPRECON-E: Kernel Update with Firmware 8.59

An update of SPRECON's operating-system-kernel has been finished. This update of the Linux kernel improves the defence-in-depth strategy of SPRECON-E products.

Details can be found in the release-notes of SPRECON-E Control 8.59 firmware.

SPRECON-E: not affected
SPRECON-V: not affected

Cisco has published multiple vulnerabilities in Cisco ASA products. It is recommended to evaluate which ASA versions are in operation respectively if the vulnerabilities are relevant.

• Denial-of-Service via Web , CVE-2018-0296
• TLS Buffer Underflow , CVE-2018-0231
• Application Layer Protocol Inspection Logic Errors, CVE-2018-0240
• SSL VPN Client Certification Authentication Flaw, CVE-2018-0227
• Ingress Software Lock Error, CVE-2018-0228
• Input Validation Flaw in WebVPN Management Interface, CVE-2018-0

Access Control Flaw in CISCO Industrial Ethernet Switch

Cisco as reported a vulnerability in IE switches. An unauthenticated remote attacker could execute a cross-site request forgery (CSRF) attack via the Device Manager web interface.

The vulnerability has been assigned with CVSS 8.8 under CVE-2018-0255.

Multiple vulnerabilities in CISCO IOS / IOS XE / IOS XR

Multiple partly critical vulnerabilities in CISCO IOS software products have been reported. IOS is being used in manifold device families. Operators of CISCO devices are advised to evaluate, if vulnerable versions of IOS variantes are in operation respectively if the vulnerabilities are relevant.

• IOS/IOS XE DHCP Option 82 Processing Bugs,
CVE-2018-0172, CVE-2018-0173, CVE-2018-0174

• Cisco IOS/IOS XE QoS Buffer Overflow Lets, CVE-2018-0151

• Cisco IOS/IOS XE/IOS XR Link Layer Discovery Protocol Privilege Escalation, CVE-2018-0167, CVE-2018-0175

• Cisco IOS/IOS XE Smart Install Input Validation Flaw,
CVE-2018-0156

• Cisco IOS/IOS XE Buffer Overflow in Processing Smart Install Packets, CVE-2018-0171

• Cisco IOS XE Zone-Based Firewall IP Fragment Processing Bug,
CVE-2018-0157

• Cisco IOS XE Default Credentials,
CVE-2018-0150

• Cisco IOS XE IGMP Processing Flaw,
CVE-2018-0165

• Cisco IOS Integrated Services Module for VPN Unspecified Processing Flaw, CVE-2018-0154

• Cisco IOS XE SNMP Memory Management Error,
CVE-2018-0160

• Cisco IOS XE Umbrella Integration Memory Free Error,
CVE-2018-0170

• Cisco IOS XE Web Interface Access Control Bug,
CVE-2018-0152

• Cisco IOS XE Command Line Interface Validation Bugs,
CVE-2018-0169, CVE-2018-0176

• Cisco IOS/IOS XE IKE Processing Flaws,
CVE-2018-0158, CVE-2018-0159

• Cisco IOS XR UDP Broadcast Processing Flaw,
CVE-2018-0241


Further details:

• https://ics-cert.us-cert.gov/advisories/ICSA-18-065-01

SPRECON-E: not affected
SPRECON-V: not affected

Diese betreffen:

Affected Products:

• Hirschmann productlines RS, RSR, RSB, RSB,MACH100, MACH1000,MACH4000, MS, OCTOPUS

Workaround:

• Hirschmann strongly recommends the usage of security-enhancing controls (such as the usage of HTTPS or SSH, see link below)

Further details:

• https://ics-cert.us-cert.gov/advisories/ICSA-18-065-01

SPRECON-V: partly affected

We can confirm that the following updates resolve several issues, caused by the Microsoft Security Update at the beginning of the year 2018.

• KB4074594 resolves KB4056898 - Windows 8.1. for x64-based Systems

• KB4074594 resolves KB4056895 and KB4056898 - Windows 8.1 and Windows Server 2012 R2 Standard

• KB4074592 resolves KB4056891 - Windows 10 Version 1703 for x64-based Systems

• KB4074596 resolves KB4056893 - Windows 10 Version 1507 for x64-based Systems

• KB4074590 resolves KB4056890 - Windows Server 2016 and Windows 10 Version 1607

• KB4074593 resolves KB4056896 - Windows Server 2012 Standard

• KB4074598 resolves KB4056894 - Windows 7 and Windows Server 2008 R2

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. Meltdown and Spectre use vulnerabilities such as faulty kernel-mappings in order to read arbitrary data from memory and disclose sensitive information.
A potential attacker would need to download malicious software to the system, execute it, and extract the results in order to use these attacks.

As SPRECON-V can be applied on various computer hardware, it depends on the used hardware wether the proper installation is affected or not. For complete mitigation, operation system patches will need to be applied as soon as they can be installed without problems.

At the moment, it has been recognized that several Microsoft Windows patches lead to problems. It is not recommended to apply these patches directly to the operational system. In case they shall be applied, it is recommended to first create a backup of the systems, and first apply the patches to an equivalent test system and check the functionality after patching. Alternative countermeasures as below can be applied.

Additional analysis is currently being done. As soon as Microsoft Windows patches can be installed, hence are appoved by Sprecher Automation, this information will be shared.

        
Affected Products:

• SPRECON-V460 if operated on affected hardware:
  Intel, AMD, ARM
  https://www.heise.de/newsticker/meldung/Prozessor-Luecken-Meltdown-und-Spectre-Intel-und-ARM-fuehren-betroffene-Prozessoren-auf-Nvidia-3934667.html
  https://www.cvedetails.com/cve-details.php?cve_id=CVE-2017-5754

Countermeasures:

• Technical/operational networks must be isolated from public networks
• All communication means that lead into an operational network need to be monitored
• HMI-stations within operational networks / stations should be additionally hardened (application whitelisting and/or antivirus software)
• Enforcement of security monitoring in all areas and networks in order to detect anomalies
• Strictly apply defence-in-depth in your networks
• Chip and operating system manufacturers already work towards possible patches
• Recommendations of respective manufacturers can be considered to be implemented in the affected stations
  
  Microsoft offers tools in order to prove if the hardware is affected:
  https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

• Meltdown and Spectre,
  http://meltdownattack.com
  
  Google Security Blog,
  https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
  
  COPADATA
  https://www.copadata.com/en/news/news/security-announcement-6943/

SPRECON-E: not affected
SPRECON-V: not affected

A remote user can send specially crafted XML packets to the target webvpn-configured interface to trigger a double-free memory error in the SSL VPN function and execute arbitrary code on the target system.

Systems with the webvpn feature enabled are affected.

        
Affected Products:

The following models are affected:

• 3000 Series Industrial Security Appliance (ISA)
• 5500 Series Adaptive Security Appliances
• 5500-X Series Next-Generation Firewalls
• ASA Services Module for Catalyst 6500 Series Switches and 7600 Series Routers
• 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
  
  Several Firepower series devices are also affected.
  
  

Countermeasures:

• The vendor has issued a fix (see link below).

• https://securitytracker.com/id/1040292
  
  
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

SPRECON-E: not affected
SPRECON-V: not affected

A remote user can send specially crafted IPv6 packets with a fragment header extension to or through the target Trident-based line card to cause the line card to reload.

Systems with Trident-based line cards that have IPv6 configured are affected.

Affected Products:

Trident-Based Line Cards:

• A9K-40GE-L
• A9K-40GE-B
• A9K-40GE-E
• A9K-4T-L
• A9K-4T-B
• A9K-4T-E
• A9K-8T/4-L
• A9K-8T/4-B
• A9K-8T/4-E
• A9K-2T20GE-L
• A9K-2T20GE-B
• A9K-2T20GE-E
• A9K-8T-L
• A9K-8T-B
• A9K-8T-E
• A9K-16/8T-B
  
  

Countermeasures:

• The vendor has issued a fix (Service Pack 7 for Cisco IOS XR Software Release 5.3.4).
  
  

• https://securitytracker.com/id/1040315

SPRECON-E: partly affected

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. One of these affected products is used within SPRECON-E Falcon CPUs (PU244x) on ARM basis. Other SPRECON-E products respectively CPU families are not affected. However, the resulting risk is marginal for SPRECON devices.

Followingly the facts about this:        

• Meltdown is not relevant to ARM chips, hence, no risk from this attack
• Regarding Spectre, the variants 1 and 2 according to ^[1] are relevant. Hence, CVE-2017-5753 and CVE-2017-5715.
• in order to exploit these vulnerabilities, a potential attacker would need to download malicious software to the device, execute it, and extract the results. Theoretically, this could lead to disclosure of sensitive data, which would compromise the confidentiality of data, but not directly compromise integrity or availability of the device.
• However, SPRECON realizes a strict defence-in-depth strategy. This means, that there is no way to download arbitrary data on the device and execute downloaded code. Every means to download data onto the device is limited to authentic configuration data within the available engineering-worklfow on SPRECON. Hence, the risk from this vulnerability is minimal.

^[1] https://developer.arm.com/support/security-update

Affected Products:

• SPRECON-E-C respectively SPRECON-E-P with CPU PU244x
  
  

• There is no need for action regarding the attacks Meltdown and Spectre.

SPRECON-E: not affected
SPRECON-V: not affected

The company Meinberg informed about multiple vulnerabilities in its devices' web-userinterface as well as the NTP key generation. For details see the appropriate CVE codes, as well as http://www.ids.de/it-security/it-security-bulletin.html.

• Due to a wrong configuration in the Webserver Access Control List, an unauthenticated attacker is able to read arbitrary files.

• Error in restricted URL-access: specifically drafted HTTP/HTTPS queries allowed an unauthenticated attacker to read statistical data and grafics.

• Arbitrary file-upload: an authenticated directory-traversal attack allowed to upload arbitrary files due to missing validations.

• Error in NTP key generation: older versions of LTOS6-firmware erroneously handles NTP key generation, which enabled the usage of old keys after new keys have been generated.

        
Affected Products:

LTOS6-Firmware-Versionen before 6.24.004, which are used in LANTIME M-Series (M100, M200, M300, M400, M600, M900) as well as all devices of IMS-Series (M500, M1000, M1000S, M3000, M3000S, M4000) as well as SyncFire-Products (SF1000 / SF1100).

Countermeasures:

Meinberg already released firmware version 6.24.004 where these vulnerabilities are fixed. Customers of Meinberg can download it via  https://www.meinberg.de/german/sw/firmware.htm

SPRECON-E: not affected
SPRECON-V: not affected

A vulnerability in the implementation of the direct authentication feature in Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected device to unexpectedly reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation of the HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to the local IP address of an affected device. A successful exploit could allow the attacker to cause the affected device to reload.

Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems that have the direct authentication feature enabled. This vulnerability can be triggered by IPv4 or IPv6 traffic.

        
Affected Products:

This vulnerability affects Cisco Adaptive Security Appliance (ASA) Software that is running on the following Cisco products:

• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• ISA 3000 Industrial Security Appliance

Countermeasures:

Cisco has released free software updates that address the vulnerability.

Further details on software versions, fixes, and detailed descriptions can be obtained from the security advisory:

> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-asa

SPRECON-V460

A well-known security vendor recently discovered malware capable of affecting power grid operations, confirmed by Dragos as the malware used against Ukraine during late December 2016 power outage. The malware is highly modular supporting several protocols such as IEC 101, IEC 104, IEC 61850, and OPC Data Access (OPC DA). This malware also contains a data wiping component enabling destructive operations against the location machine, similar to the capability used against Ukraine in 2015.

Categorisation
Currently, no further exploits are known. The analysis from Dragos bases on samples from December 2016. It is obvious, that the malware has been extended and further developed in the meanwhile.
Principally, Microsoft Windows based maschines are vulnerable to this malware. Therefore, for Windows-based HMI stations the necessary countermeasures have to be taken into account.

     
        
Countermeasures

• Utilities shall strictly isolate technical (ICS) networks from others (such as e.g. office networks).

• All communication means to access ICS networks (and especially Windows based HMI stations) need to be secured, such as e.g. remote maintenance connections or mobile storage devices.

• HMI stations shall additionally be hardened using e.g. application whitelisting. Additionally, antivirus software might be applied. Be aware, that antivirus software might cause false-positives on functionally relevant machines.

• Electric utility security teams should have a clear understanding of where and how IEC 104 and IEC 61850 protocols are used. An appropriate security monitoring shall be enforced.

• The YARA rules published by Dragos and other indicators of compromise can be leveraged to search for possible infections (IOCs).

• Robust backups of engineering files such as project logic, IED configura­tion files, and ICS application installers should be offline and tested. This will help reduce the impact of the wiper functionality.
  
  
• Prepare incident response plans for this attack and perform table top exer­cises bringing in appropriate stakeholders and personnel across engineer­ing, operations, IT, and security. Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

> BBC News

> WIN32/Industroyer: A new threat for industrial control systems

> WIN32/Industroyer: Indicators of Compromise

> Siemens Security Advisory by Siemens

 > Dragos World Advisory

 > BSI News

 > Dragons Analyse

SPRECON-V460 Systems

The ransomware WannaCry spreads across the internet since 12.5.2017. WannaCry is a ransomware, hence encrypts a set of defined filetypes on the affected computer's file system. It is highly critical, since it automatically distributes across a company's network infrastructure using several known vulnerabilities in Microsoft Windows.

 
Categorisation  
A high risk results for SPRECON V460 stations, if their network zone is connected to an office network via Windows file sharing (SMB), NETBIOS or RDP.
  

     
        
Solution
Microsoft already closed the respective vulnerabilities in March 2017 via security patches. It is recommended to patch all Windows machines with actual security updates in order to mitigate these vulnerabilities.

Since May, security patches are also available for older Windows versions such as Windows XP or Windows Server 2003.

Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

>   CERT.at: Ransomware/Wurm WannaCry

>   BSI: Tausende Clouds in Deutschland anfällig für Cyber-Attacken

>   Microsoft: Customer Guidance for WannaCrypt attacks

>   Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

Affected Products
Catalyst switches,
Embedded Service 2020 switches,
Enhanced Layer 2 EtherSwitch Service Module,
Enhanced Layer 2/3 EtherSwitch Service Module,
Gigabit Ethernet Switch Module (CGESM) for HP,
IE Industrial Ethernet switches,
ME 4924-10GE switch, RF Gateway 10,
SM-X Layer 2/3 EtherSwitch Service Module

Solution
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS-Score: 9.8

>   Cisco Security Advisory

  CERT-EU Security Advisory 2017-006

Users of IPSec VPN connections with SPRECON-E

Since firmware version 8.41, users are enabled to operate IPSec VPN connections with SPRECON control devices. The configuration therefore is done via the proper Security Editor tool, that offers a user interface for defining IPSec settings. Upon configuration, the users exports the propriertary file ipsec.cfg from this tool. This file can than be imported with the SPRECON Designer in order to integrate it into the process device list (main configuration file) which may then be downloaded to the device.

During IPSec configuration, the authentication of the IPSec pariticipant has to be defined. Depending on the chosen authentication method, either a pre-shared key or certificate may be used which in turn contains a private key. The vendor Sprecher Automation advises all users to maintain the confidentiality of these files, since they contain critical information.

Actually, ipsec.cfg files are equipped with a password-based protection mechanism against manipulation, which has been implemented majorly for protecting users against unauthorized alteration of the files. This is not a strong cryptographical encryption, which ensures confidentiality of those files against potential attacks. In order to support all customers, from SPRECON firmware 8.56 and Security Editor 1.03 a strong encryption will be applied to the ipsec.cfg files, to cryptographically ensure confidentiality and integrity of IPSec configurations.

SPRECON-E-C/-E-P/-E-T3: affected

SPRECON-V460: not affected

Under certain preconditions, it is possible for a non-admin user to execute a telegram simulation.

As prerequisites, a user has to open an online-connection to the device, validly authenticate and authorise as administrator, and execute telegram simulation. The online-connection subsequently has to be closed without closing the program. Faulty caching of client data then may allow a following non-admin user to execute telegram simulation.

In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to the service/maintenance computer. Additionally, a valid admin-user must have executed telegram simulation, then close the service connection beforehand without closing the program. Hence, there is no risk from external attackers.

Affected Product: SPRECON-E Service Program 3.42 SP0

Limitation: 

This vulnerability is only relevant if using role-based access control (RBAC) on SPRECON. RBAC is available since the following product versions:

• SPRECON-E Designer 5.79 SP0 (Access control needs to be activated, either local or remote (RADIUS) authentication profiles need to be configured)
• SPRECON-E Firmware 8.49d
• SPRECON-E Service Program 3.42 SP0

Solution

Sprecher Automation recommends to update SPRECON-E Service Program to version 3.43 SP0 or higher. An update of the Service Program can be done independently from device firmware and other related products.

Workaround

If it can be ensured that the Service Program is being closed after each usage by a particular user, there is no risk from this vulnerability.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Cisco closes several, partially critical, vulnerabilities with a new software update.

CVE-2016-6432 defines a security gap (CVSS score of 9.3) which could allow an unauthenticated remote attacker to cause a reload of the affected system or to remotely execute code. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software.

Cisco has released software updates that address this vulnerability. A workaround is to deactivate NetBIOS probing.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The latest firmware update for SIPROTEC 4 and SIPROTEC Compact fixes multiple vulnerabilities, which are classified with CVSS-Scores from 7.8 to 10 according to cvedetails.com. The vulnerabilities exist within the EN100 Ethernet module.

The vulnerabilities CVE-2016-7112 and CVE-2016-7114 allow remote attackers to bypass authentication and obtain administrative privileges.

CVE-2016-7113 allows remote attackers to cause a denial of service via HTTP.

An update to the latest firmware is necessary. As a general security measure, Siemens recommends to run devices in protected IT environments.

> Siemens

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE-2016-3962

CVE-2016-3988

CVE-2016-3989

• IMS-LANTIME M3000
• IMS-LANTIME M1000
• IMS-LANTIME M500
• LANTIME M900
• LANTIME M600
• LANTIME M400
• LANTIME M300
• LANTIME M200
• LANTIME M100
• SyncFire 1100
• LCES

CVE-2016-3962 and CVE-2016-3988 are Buffer-Overflow vulnerabilities in the time-server interface that enable remote-attackers to cause “denial-of-service” and allow the capture of sensitive information or manipulation of data.

CVE-2016-3989 causes "Privilege Escalation", where attackers can use the "nobody" user to obtain root privileges.

Vulnerabilities have the criticality scores of 7.3 and respectively 8.1.

Meinberg already released a fixed firmware (Version 6.20.004).

> ICS-CERT

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated remote attacker to cause a reload of the affected system or to execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. This could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

Cisco has released software updates that address the vulnerability.

> Cisco

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Tenable Network Security detected a “NULL pointer deference” security gap in the CODESYS Runtime Toolkit of 3S-Smart Software Solutions GmbH.

This gap allows an attacker to trigger a “denial of service” by causing the crash of the Runtime Toolkit. All CODESYS Runtime Toolkit versions < 2.4.7.48 are affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The vulnerability of the widely used real-time embedded operating system VxWorks (versions 5.5 to incl. 6.9.4.1) of Wind River can be identified by Fuzzing.

By using this vulnerability, it is possible to provoke a buffer overflow via the network and then execute any code. Furthermore, the FTP server of the system could be crashed through a specific username and password (demonstrated at the security conference 44CON).

The latest generation – VxWorks version 7 – is not affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“LogJam” is a security gap in the Diffie-Hellman crypto protocol for encrypted connections of web-, mail-, SSH- and VPN-servers. Due to a weakness of the TLS process (Transport Layer Security), the key size can be reduced to unsecure 512 bit by a man-in-the-middle attack.

That allows to shift the HTTPS connections to the unsecure export mode and to compromise them. Generally, the 512 Bit key size is not used anymore, but some servers still support it for compatibility reasons.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“GHOST” is a security gap of the gethostbyname() function (standard C library: Glibc). Under certain circumstances, malware can be executed via malicious DNS-responses.

The gap arose with Glibc 2.2 (11/2000) and has been fixed within version 2.18 (01/2013).

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

3^rd-Party: Microsoft^® Windows^® Server 2003 SP2, Windows^® Vista SP2, Windows^® Server 2008 SP2 and R2 SP1, Windows^® 7 SP1, Windows^® 8, Windows^® 8.1, Windows^® Server 2012 Gold and R2, and Windows^® RT Gold and 8.1

The crypto component "Microsoft^® Secure Channel" is also responsible for encrypted Internet connections. Microsoft^® classified this security gap as critical (MS14-066). Through the Schannel security gap attackers can implant manipulated data packages via prepared websites and take over control of the computer.

• Update Windows^® operating system
• Only run computers with Windows^® operating systems in isolated networks

SPRECON-E-C/-E-P/-E-T3: Webserver

SPRECON-V460: not affected

3^rd-Party: IP camera access via browser (Chrome, Firefox, Internet Explorer,...)

If server and client of a TLS connection also support the previous versions of the protocol (i.e. due to compatibility reasons), attackers may force a backset to the older and vulnerable SSLv3 by a MiM (Man in the Middle) attack. Hence it is possible to disclose the session cookie and to take over the connection.

SSLv3 support (which was necessary due to compatibility reasons) will be terminated along with the next version of the SPRECON webserver.

• Deactivate your webserver (should be standard if not used)
• Deactivate SSLv3 in your web browser