Vulnerability Highlight
On October 12, 2021, Siemen’s SINEC, an advanced OT network management system (NMS), revealed details of 15 cybersecurity vulnerabilities, among which CVSS v3.1 Base Score is between 7.0-8.9 and is considered high risk, including CVE-2021-33722, CVE-2021-33723, CVE-2021-33728, CVE-2021-33729, CVE-2021-33730, CVE-2021-33731, CVE-2021-33732, CVE-2021-33733, CVE-2021-33734, CVE-2021-33735, CVE -2021-33736. In addition, vulnerabilities with CVSS v3.1 Base Score between 4.0-6.9 and considered medium risk include: CVE-2021-33724, CVE-2021-33725, CVE-2021-33726, CVE-2021-33727.
The most notable of these vulnerabilities are CVE-2021-33723(CVSS v3.1 score 8.8) and CVE-2021-33722(CVSS v3.1 score 7.2). The way that CVE-2021-33723 works is that once an adversary is authenticated, the user profile of any user can be changed without proper authorization. This allows an adversary to change the password of any user on the affected system. The way CVE-2021-33723 works is that when the system is exposed to a path traversal vulnerability when exporting firmware containers, an authorized and privileged adversary can create arbitrary files on the affected system. Since Siemens SINEC is specially used to centrally monitor, manage, and configure networks in the OT network environment, once adversaries compromise SINEC they can much more easily maintain their foothold in the OT environment of the victim organization.
In addition, some SQL injection attacks need attention. For example, the vulnerabilities CVE-2021-33732, CVE-2021-33733, and CVE-2021-33734 can allow an authenticated adversary and use a privileged account to send specified requests that execute arbitrary commands in the local database to the webserver of the affected application. It should be noted that CVE-2021-33729 can allow an authenticated adversary to import a firmware container into an affected system that could execute arbitrary commands in the local database.
Background Information
Network Management System (NMS) plays a vital role in the industrial IoT. It is responsible for monitoring, managing, and configuring OT networks and supports functions such as providing centralized device monitoring for digital enterprises, performing firmware upgrades and configuration changes etc. However, Siemens’ SINEC NMS can be used in an increasingly digital world to centrally monitor, manage, and configure industrial networks covering tens of thousands of devices around the clock, including security-related areas. As the OT network becomes more extensive and complex, adversaries may use it once a vulnerability appears to control the OT network environment and cause large-scale severe cybersecurity incidents. Fortunately, on October 12, 2021, Siemens resolved the security vulnerability in the V1.0 SP2 version update (from CVE-2021-33722 to CVE-2021-33736).
Security Recommendation
Siemens has identified specific workarounds and mitigations that customers can apply to reduce the risk: Restrict access to the affected systems, especially to port 443/TCP, to trusted IP addresses only. In addition, Siemens strongly recommends using Siemens’ Industrial Security Operational Guide to configure and establish appropriate access control mechanisms to protect network access to equipment.
Siemens has released updated versions. Thus, we strongly recommend that administrators address the issues by updating to V1.0 SP2 Update 1 or later, referring to Siemens’ Industrial Security Operational Guide.
