SPRECON-V460

A well-known security vendor recently discovered malware capable of affecting power grid operations, confirmed by Dragos as the malware used against Ukraine during late December 2016 power outage. The malware is highly modular supporting several protocols such as IEC 101, IEC 104, IEC 61850, and OPC Data Access (OPC DA). This malware also contains a data wiping component enabling destructive operations against the location machine, similar to the capability used against Ukraine in 2015.

Categorisation
Currently, no further exploits are known. The analysis from Dragos bases on samples from December 2016. It is obvious, that the malware has been extended and further developed in the meanwhile.
Principally, Microsoft Windows based maschines are vulnerable to this malware. Therefore, for Windows-based HMI stations the necessary countermeasures have to be taken into account.

     
        
Countermeasures

• Utilities shall strictly isolate technical (ICS) networks from others (such as e.g. office networks).

• All communication means to access ICS networks (and especially Windows based HMI stations) need to be secured, such as e.g. remote maintenance connections or mobile storage devices.

• HMI stations shall additionally be hardened using e.g. application whitelisting. Additionally, antivirus software might be applied. Be aware, that antivirus software might cause false-positives on functionally relevant machines.

• Electric utility security teams should have a clear understanding of where and how IEC 104 and IEC 61850 protocols are used. An appropriate security monitoring shall be enforced.

• The YARA rules published by Dragos and other indicators of compromise can be leveraged to search for possible infections (IOCs).

• Robust backups of engineering files such as project logic, IED configura­tion files, and ICS application installers should be offline and tested. This will help reduce the impact of the wiper functionality.
  
  
• Prepare incident response plans for this attack and perform table top exer­cises bringing in appropriate stakeholders and personnel across engineer­ing, operations, IT, and security. Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

> BBC News

> WIN32/Industroyer: A new threat for industrial control systems

> WIN32/Industroyer: Indicators of Compromise

> Siemens Security Advisory by Siemens

 > Dragos World Advisory

 > BSI News

 > Dragons Analyse

SPRECON-V460 Systems

The ransomware WannaCry spreads across the internet since 12.5.2017. WannaCry is a ransomware, hence encrypts a set of defined filetypes on the affected computer's file system. It is highly critical, since it automatically distributes across a company's network infrastructure using several known vulnerabilities in Microsoft Windows.

 
Categorisation  
A high risk results for SPRECON V460 stations, if their network zone is connected to an office network via Windows file sharing (SMB), NETBIOS or RDP.
  

     
        
Solution
Microsoft already closed the respective vulnerabilities in March 2017 via security patches. It is recommended to patch all Windows machines with actual security updates in order to mitigate these vulnerabilities.

Since May, security patches are also available for older Windows versions such as Windows XP or Windows Server 2003.

Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

>   CERT.at: Ransomware/Wurm WannaCry

>   BSI: Tausende Clouds in Deutschland anfällig für Cyber-Attacken

>   Microsoft: Customer Guidance for WannaCrypt attacks

>   Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

Affected Products
Catalyst switches,
Embedded Service 2020 switches,
Enhanced Layer 2 EtherSwitch Service Module,
Enhanced Layer 2/3 EtherSwitch Service Module,
Gigabit Ethernet Switch Module (CGESM) for HP,
IE Industrial Ethernet switches,
ME 4924-10GE switch, RF Gateway 10,
SM-X Layer 2/3 EtherSwitch Service Module

Solution
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS-Score: 9.8

>   Cisco Security Advisory

  CERT-EU Security Advisory 2017-006

Users of IPSec VPN connections with SPRECON-E

Since firmware version 8.41, users are enabled to operate IPSec VPN connections with SPRECON control devices. The configuration therefore is done via the proper Security Editor tool, that offers a user interface for defining IPSec settings. Upon configuration, the users exports the propriertary file ipsec.cfg from this tool. This file can than be imported with the SPRECON Designer in order to integrate it into the process device list (main configuration file) which may then be downloaded to the device.

During IPSec configuration, the authentication of the IPSec pariticipant has to be defined. Depending on the chosen authentication method, either a pre-shared key or certificate may be used which in turn contains a private key. The vendor Sprecher Automation advises all users to maintain the confidentiality of these files, since they contain critical information.

Actually, ipsec.cfg files are equipped with a password-based protection mechanism against manipulation, which has been implemented majorly for protecting users against unauthorized alteration of the files. This is not a strong cryptographical encryption, which ensures confidentiality of those files against potential attacks. In order to support all customers, from SPRECON firmware 8.56 and Security Editor 1.03 a strong encryption will be applied to the ipsec.cfg files, to cryptographically ensure confidentiality and integrity of IPSec configurations.

SPRECON-E-C/-E-P/-E-T3: affected

SPRECON-V460: not affected

Under certain preconditions, it is possible for a non-admin user to execute a telegram simulation.

As prerequisites, a user has to open an online-connection to the device, validly authenticate and authorise as administrator, and execute telegram simulation. The online-connection subsequently has to be closed without closing the program. Faulty caching of client data then may allow a following non-admin user to execute telegram simulation.

In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to the service/maintenance computer. Additionally, a valid admin-user must have executed telegram simulation, then close the service connection beforehand without closing the program. Hence, there is no risk from external attackers.

Affected Product: SPRECON-E Service Program 3.42 SP0

Limitation: 

This vulnerability is only relevant if using role-based access control (RBAC) on SPRECON. RBAC is available since the following product versions:

• SPRECON-E Designer 5.79 SP0 (Access control needs to be activated, either local or remote (RADIUS) authentication profiles need to be configured)
• SPRECON-E Firmware 8.49d
• SPRECON-E Service Program 3.42 SP0

Solution

Sprecher Automation recommends to update SPRECON-E Service Program to version 3.43 SP0 or higher. An update of the Service Program can be done independently from device firmware and other related products.

Workaround

If it can be ensured that the Service Program is being closed after each usage by a particular user, there is no risk from this vulnerability.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Cisco closes several, partially critical, vulnerabilities with a new software update.

CVE-2016-6432 defines a security gap (CVSS score of 9.3) which could allow an unauthenticated remote attacker to cause a reload of the affected system or to remotely execute code. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software.

Cisco has released software updates that address this vulnerability. A workaround is to deactivate NetBIOS probing.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The latest firmware update for SIPROTEC 4 and SIPROTEC Compact fixes multiple vulnerabilities, which are classified with CVSS-Scores from 7.8 to 10 according to cvedetails.com. The vulnerabilities exist within the EN100 Ethernet module.

The vulnerabilities CVE-2016-7112 and CVE-2016-7114 allow remote attackers to bypass authentication and obtain administrative privileges.

CVE-2016-7113 allows remote attackers to cause a denial of service via HTTP.

An update to the latest firmware is necessary. As a general security measure, Siemens recommends to run devices in protected IT environments.

> Siemens

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE-2016-3962

CVE-2016-3988

CVE-2016-3989

• IMS-LANTIME M3000
• IMS-LANTIME M1000
• IMS-LANTIME M500
• LANTIME M900
• LANTIME M600
• LANTIME M400
• LANTIME M300
• LANTIME M200
• LANTIME M100
• SyncFire 1100
• LCES

CVE-2016-3962 and CVE-2016-3988 are Buffer-Overflow vulnerabilities in the time-server interface that enable remote-attackers to cause “denial-of-service” and allow the capture of sensitive information or manipulation of data.

CVE-2016-3989 causes "Privilege Escalation", where attackers can use the "nobody" user to obtain root privileges.

Vulnerabilities have the criticality scores of 7.3 and respectively 8.1.

Meinberg already released a fixed firmware (Version 6.20.004).

> ICS-CERT

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated remote attacker to cause a reload of the affected system or to execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. This could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

Cisco has released software updates that address the vulnerability.

> Cisco

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Tenable Network Security detected a “NULL pointer deference” security gap in the CODESYS Runtime Toolkit of 3S-Smart Software Solutions GmbH.

This gap allows an attacker to trigger a “denial of service” by causing the crash of the Runtime Toolkit. All CODESYS Runtime Toolkit versions < 2.4.7.48 are affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The vulnerability of the widely used real-time embedded operating system VxWorks (versions 5.5 to incl. 6.9.4.1) of Wind River can be identified by Fuzzing.

By using this vulnerability, it is possible to provoke a buffer overflow via the network and then execute any code. Furthermore, the FTP server of the system could be crashed through a specific username and password (demonstrated at the security conference 44CON).

The latest generation – VxWorks version 7 – is not affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“LogJam” is a security gap in the Diffie-Hellman crypto protocol for encrypted connections of web-, mail-, SSH- and VPN-servers. Due to a weakness of the TLS process (Transport Layer Security), the key size can be reduced to unsecure 512 bit by a man-in-the-middle attack.

That allows to shift the HTTPS connections to the unsecure export mode and to compromise them. Generally, the 512 Bit key size is not used anymore, but some servers still support it for compatibility reasons.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“GHOST” is a security gap of the gethostbyname() function (standard C library: Glibc). Under certain circumstances, malware can be executed via malicious DNS-responses.

The gap arose with Glibc 2.2 (11/2000) and has been fixed within version 2.18 (01/2013).

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

3^rd-Party: Microsoft^® Windows^® Server 2003 SP2, Windows^® Vista SP2, Windows^® Server 2008 SP2 and R2 SP1, Windows^® 7 SP1, Windows^® 8, Windows^® 8.1, Windows^® Server 2012 Gold and R2, and Windows^® RT Gold and 8.1

The crypto component "Microsoft^® Secure Channel" is also responsible for encrypted Internet connections. Microsoft^® classified this security gap as critical (MS14-066). Through the Schannel security gap attackers can implant manipulated data packages via prepared websites and take over control of the computer.

• Update Windows^® operating system
• Only run computers with Windows^® operating systems in isolated networks

SPRECON-E-C/-E-P/-E-T3: Webserver

SPRECON-V460: not affected

3^rd-Party: IP camera access via browser (Chrome, Firefox, Internet Explorer,...)

If server and client of a TLS connection also support the previous versions of the protocol (i.e. due to compatibility reasons), attackers may force a backset to the older and vulnerable SSLv3 by a MiM (Man in the Middle) attack. Hence it is possible to disclose the session cookie and to take over the connection.

SSLv3 support (which was necessary due to compatibility reasons) will be terminated along with the next version of the SPRECON webserver.

• Deactivate your webserver (should be standard if not used)
• Deactivate SSLv3 in your web browser