Tuesday, December 20th, 2011
I have been working with ICS-CERT and various vendors over the last year, finding bugs and “responsibly” reporting nearly 1000 bugs… all for free and in my spare time. Overall, its been a great experience. Most of the vendors have been great to work with and ICS-CERT has done a great job managing all the bugs I’ve given them. In May of this year, I reported an authentication bypass for Siemens SIMATIC systems. These systems are used to manage Industrial Control Systems and Critical Infrastructure. I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer. Today, I was forwarded the following from Siemens PR (Alex Machowetz) via a Reuters reporter that made an inquiry about the bugs we reported:
“I contacted our IT Security experts today who know Billy Rios…. They told me that there are no open issues regarding authentication bypass bugs at Siemens.”
For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.
Since Siemens has “no open issues regarding authentication bypass bugs”, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass.
First, the default password for Siemens SIMATIC is “100”. There are three different services that are exposed when Siemens SIMATIC is installed; Web, VNC, and Telnet. The default creds for the Web interface is “Administrator:100” and the VNC service only requires the user enter the password of “100” (there is no user name). This is likely the vector pr0f used to gain access to South Houston (but only he can say for sure). All the services maintain their credentials separately, so changing the default password for the web interface doesn’t change the VNC password (and vice versa). I’ve found MANY of these services listening on the Internet… in fact you can find a couple here: http://www.shodanhq.com/search?q=simatic+HMI
But WAIT… there’s MORE! If a user changes their password to a new password that includes a special character, the password may automatically be reset to “100”. Yes, you read that correctly… if a user has any special characters in their password, it may be reset to “100”. You can read about these awesome design decisions (and many others) in the Siemens user manuals.
But WAIT… there’s MORE! So I took a look at what happens when an Administrator logs into the Web HMI. Upon a successful login, the web application returns a session cookie that looks something like this:
Looks pretty secure… right? Well, I harvested sessions from repeated, successful logins and this is what I saw:
Not so random huh…. If you decode these values, you’ll see something like this:
Totally predictable. For those non-techies reading this… what can someone do with this non-existent bug? They can use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world… aka they can take over a control system without knowing the username or password. No need to worry though, as there are “no open issues regarding authentication bypass bugs at Siemens.”
Next time, Siemens should think twice before lying to the press about security bugs that could affect the critical infrastructure….to everyone else, Merry Christmas