Tuesday, December 20th, 2011

The Siemens SIMATIC Remote, Authentication Bypass (that doesn’t exist)

I have been working with ICS-CERT and various vendors over the last year, finding bugs and “responsibly” reporting nearly 1000 bugs… all for free and in my spare time. Overall, its been a great experience. Most of the vendors have been great to work with and ICS-CERT has done a great job managing all the bugs I’ve given them. In May of this year, I reported an authentication bypass for Siemens SIMATIC systems. These systems are used to manage Industrial Control Systems and Critical Infrastructure. I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer. Today, I was forwarded the following from Siemens PR (Alex Machowetz) via a Reuters reporter that made an inquiry about the bugs we reported:

“I contacted our IT Security experts today who know Billy Rios…. They told me that there are no open issues regarding authentication bypass bugs at Siemens.”

For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.

Since Siemens has “no open issues regarding authentication bypass bugs”, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass.

These aren't the Auth Bypasses you're looking for

These aren't the Auth Bypasses you're looking for


First, the default password for Siemens SIMATIC is “100”. There are three different services that are exposed when Siemens SIMATIC is installed; Web, VNC, and Telnet. The default creds for the Web interface is “Administrator:100” and the VNC service only requires the user enter the password of “100” (there is no user name). This is likely the vector pr0f used to gain access to South Houston (but only he can say for sure). All the services maintain their credentials separately, so changing the default password for the web interface doesn’t change the VNC password (and vice versa). I’ve found MANY of these services listening on the Internet… in fact you can find a couple here: http://www.shodanhq.com/search?q=simatic+HMI
https://www.google.com/?#q=%22SIMATIC+HMI+Miniweb+on%22

But WAIT, there's MORE!

But WAIT, there's MORE!


But WAIT… there’s MORE! If a user changes their password to a new password that includes a special character, the password may automatically be reset to “100”. Yes, you read that correctly… if a user has any special characters in their password, it may be reset to “100”. You can read about these awesome design decisions (and many others) in the Siemens user manuals.

But WAIT… there’s MORE! So I took a look at what happens when an Administrator logs into the Web HMI. Upon a successful login, the web application returns a session cookie that looks something like this:

žEAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTM3NzQ2OCoxNyo=

Looks pretty secure… right? Well, I harvested sessions from repeated, successful logins and this is what I saw:

EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTM3NzQ2OCoxNyo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTM5MzQ2OCoxOCo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQwOTQ4NCoxOSo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQyNTQ4NCoyMCo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQ0MTUwMCoyMSo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQ1NzUwMCoyMio=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQ3MzUxNSoyMyo=
EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcioxMTQ4OTUxNSoyNCo=

Not so random huh…. If you decode these values, you’ll see something like this:

<STATIC VALUE>*administrator*11377468*17*
<STATIC VALUE>*administrator*11393468*18*
<STATIC VALUE>*administrator*11409484*19*
<STATIC VALUE>*administrator*11425484*20*
<STATIC VALUE>*administrator*11441500*21*
<STATIC VALUE>*administrator*11457500*22*
<STATIC VALUE>*administrator*11473515*23*
<STATIC VALUE>*administrator*11489515*24*

Totally predictable. For those non-techies reading this… what can someone do with this non-existent bug? They can use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world… aka they can take over a control system without knowing the username or password. No need to worry though, as there are “no open issues regarding authentication bypass bugs at Siemens.”

Next time, Siemens should think twice before lying to the press about security bugs that could affect the critical infrastructure….to everyone else, Merry Christmas

BK

Posted by xssniper | Filed in Lies

  • http://stillunderconstructions.fx.wz Rx

    (°0°)

    it´s freaking amazing and shoking

  • http://www.lookout.net Chris Weber

    Nailed! And a Ho Ho Ho to you to! Great read. Maybe they should have just been honest and said “We don’t have the resources or technical capability to look into this issue or attempt a fix” or whatever the case may be.

  • xssniper

    Agreed. I already waited over six months for the fix… I had no problems waiting longer. All that was needed was a “no comment”, no need to lie and try to discredit me.

  • shk

    great insight– ill be following any progression, keep up the good work.

  • http://www.thespanner.co.uk/ Gareth Heyes

    Glad they are all “fixed”. Nice work Billy shame about the vendor.

  • http://h.ackack.net/ Fredrik N. Almroth

    Damn. That’s so insanely bad from Siemens.
    Great read never the less!

  • SecurityNoobsRUs

    I just sent a message to every manager within earshot of me with your blog post, telling them that Siemens is the one who lost all credibility on Internet security and authentication the day you wrote this blog post.

    I also saved a copy of this post on my local drive, in case it gets taken down.

    Excellent work. Thank you for your contribution to the community.

  • Ed von Schleck

    Not the system with a default password is bad, but the one who forgets to change the password. We do not need labels like “Do not put pets into your microwave oven.”

    The information whether in the session cookie depends on the password, user name and system id is missing. Also the value of the 3rd parameter is not known. It got a length of at least 23 bit. If the depends on the username, password and system id properly, it is not easier to guess the cookie than to guess the username and password, unless you can extract information about the easy enough from somewhere else. Maybe it is not an accident that the length of the is 80 bit, 80 bit is a meaningful length.

    Appending is constant to a random number won’t make it less random.

    So, so far, I cannot decide wether this is a weakness at all.

  • http://vapid.dhs.org larry

    Wow, nice find!

  • xssniper

    Ed Von Schleck,

    Siemens has already acknowledged to me (privately, 6 months ago) and to ICS-CERT that the sessions are indeed predictable. They have reserved CVE-2011-4508 for the fix (if it ever comes out). They have no issues acknowledging this issue privately… but now that there is a chance that the public may find out about this vulnerability they would rather deceive the public than face up to their responsibility.

    BK

  • Ed von Schleck

    My comment got destroy filtered because of “small than” and “larger than” symbols around STATIC VALUE. The comment without those symbols so it makes more sense:

    Not the system with a default password is bad, but the one who forgets to change the password. We do not need labels like “Do not put pets into your microwave oven.”

    The information whether STATIC VALUE in the session cookie depends on the password, user name and system id is missing. Also the value of the 3rd parameter is not known. It got a length of at least 23 bit. If the STATIC VALUE depends on the username, password and system id properly, it is not easier to guess the cookie than to guess the username and password, unless you can extract information about the STATIC VALUE easy enough from somewhere else. Maybe it is not an accident that the length of the STATIC VALUE is 80 bit, 80 bit is a meaningful length.

    Appending is constant to a random number won’t make it less random.

    So, so far, I cannot decide wether this is a weakness at all.

    Oh, okay, they admitted it, but maybe they have no clue. :-D

  • CG

    thats why you shoudl be selling those instead of gving them to companies that dont bother to test/fuzz/write secure code to start with for free.

    As long as people keeping doing security for free or allow non public disclosure/fixing of vulns… why change?

  • Slow

    There is also the chance that messages got lost in translation, this is a PR flack we’re talking about here. He might have used completely different terms to talk to the security team than he did to the reporter.

    I’d say 20% chance PR dude is an idiot, 20% chance security team is an idiot and 60% chance of cover-up for incompetence (also likely a decision made by PR idiot without management insight).

    PR guy will loose his job, people will continue to deploy these systems…lets not be delusional here and think that people actually care about security :-(

  • Luce

    Juts for my interstanding, what is the algo used to code the value STATIC VALUE*administrator*xxxxxxxx*yy* ?

    When I unBASE64 the code, the string didn’t totally fit :)

  • willy

    Isn’t Siemens also the vendor of the insecure-by-design SCADA systems targetted by Stuxnet ? It really looks like they never made the switch to secure systems when they evolved from big red button-based systems operated by local people with strong physical access control, to remotely operated systems accessible to anyone on the net.

    PS: this text area is a nightmare to use to enter comments !

  • RoJa

    Great find and shocking. Unbelievable Siemens is this not taking this seriously. I put your find to a test on one of systems showing up with Google search.
    I’m able to log on with the default credentials you mentioned with full control rights. What a damage people can do on these systems if they want to.
    Guess something real bad needs to happen before they take action/inform their customers.

  • Martin Moene

    @Ed von Schleck: Isn’t it fair to say manufacturer and client share the resonsibility to secure a system ? Both manufacturer and client can and must do better.

  • Pingback: På den säkra sidan – Utgåva 02 | SAFESIDE-bloggen

  • Alex Machowetz

    Dear Billy and other IT experts,

    Siemens has issued the following statement on http://www.siemens.com/industrialsecurity today, December 22nd, 2011:

    “Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.”

    My email sent to Reuters on Tuesday, Dec 20, referred to the point that we are not aware of any further issues in addition to the vulnerabilities reported by you and Terry McCorke. It was meant as an email reply to a Reuters request, asking Reuters for more specific information, not as an official company’s statement. Please apologize if this was misleading, it was never our intention to deny vulnerabilities we are currently working on.

    Best regards,
    Alex Machowetz, Head of Business Press at Siemens Industry

    PS: My full contact data is posted on the Siemens Media Relations Website. The Siemens PR office is always available for a quick call to avoid misinterpretations like that.
    PPS@Slow: The PR dude is still at service: Merry X-mas !!

  • Pingback: Remote Authentication Bypass Vulnerability Exposed for Siemens SCADA Software | diBalikCelana.web.id

  • http://blog.soleranetworks.com Andrew Brandt

    Astonishing discovery, Billy.

    Alex, you could (probably should) have made that point a little clearer to the reporter.

  • Me

    They may not be lying. I had an issue with a company I used their products and they had a bug. I reported it, they wrote a patch within 24 hours but never implemented the patch. Months later they closed the bug without ever applying the patch.

    If they were to say there are no open issues they would be telling the truth, no open issues does not mean the bug is not there just that they closed the trouble ticket. In my opinion it is far worse for them to do that rather than fix it.

  • Reiner Otto

    Hey, I am German. And an IT-prof for over 3o years, for industrial apps. Having seen too many flops because of Siemens software. Simply one more example.
    But,
    they have an excellent sales department :-)

  • Pingback: Especialista acusa Siemens de esconder falha em sistema de controle

  • Pingback: Remote authentication bypass vulnerability exposed for Siemens SCADA software - HackerMuslim.com | HackerMuslim.com

  • Pingback: More SCADA security flaws surface - Security news - Tech Around World

  • Pingback: More SCADA Security Flaws Surface

  • Pingback: Remote authentication bypass vulnerability exposed for Siemens SCADA software - TECHNOLOGY GADGETS – TECHNOLOGY GADGETS

  • xssniper

    @Me

    “If they were to say there are no open issues they would be telling the truth”

    I actually take issue with this. While the statement may be “correct” from a “technical” standpoint, the spirit of the message is deceiving. When Reuters asked if there was an authentication bypass, they were not asking if the bug was “closed out in the bug database” or if the developers were “finished coding” the fix. To answer in a matter which leads someone to believe the entire issue had been addressed and customers are safe, when you know that isn’t the case… is lying, plain and simple.

    BK

  • Pingback: Remote authentication bypass vulnerability exposed for Siemens SCADA software | Believe Me When I Tell You

  • Pingback: Communiqué from Forward Observation – SCADA systems under attack — Enterprise Strategy Group

  • Pingback: More SCADA security flaws surface | Network World Middle East

  • Pingback: SCADA Security News - Week of 26 December 2011

  • Pingback: Security Stories You May Have Missed Over the Holidays | WatchGuard Security Center

  • Pingback: Vann, IKT, og sikkerhet: En giftig blanding? - Infosec

  • Pingback: Siemens Security Systems Continue to be Compromised | baggagehandling