Siemens Tecnomatix FactoryLink SCADA system contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, cause a denial of service (DoS), or conduct directory traversal attacks.
Multiple stack overflow vulnerabilities exist in the CSService and vrn.exe processes due to insecure memory operations. A remote attacker could exploit these vulnerabilities via malformed requests that are designed to corrupt memory. Exploitation could result in arbitrary code execution or a DoS condition.
Two directory traversal vulnerabilities also exist in the CSService and vrn.exe processes. These vulnerabilities could allow an attacker to perform unauthorized actions, such as browsing file directories or downloading arbitrary files. An attacker could exploit these vulnerabilities by supplying special character sequences to the vulnerable services.
In addition to these vulnerabilities, memory corruption errors, such as NULL pointer dereferences, stack exhaustions, and raised exceptions, also exist in the CSService, connsrv, and datasrv processes of the affected software. An attacker could exploit these vulnerabilities to cause unexpected termination of the services, which could result in a DoS condition.
Proof-of-concept code that demonstrates an exploit of each of these vulnerabilities is publicly available.
Siemens has confirmed this vulnerability and updates are available.
Siemens has released a security advisory at the following link (direct download to PDF file): SIEMENS-SSA-630126. Siemens has released patches at the following link: Tecnomatix FactoryLink
ICS-CERT has released security advisories at the following links: ICS-ALERT-11-080-01, ICSA-11-091-01, and ICSA-11-091-01A
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Cisco Applied Mitigation Bulletin: Identifying and Mitigating Disclosed SCADA System Vulnerabilities
