Earlier this year, speculation abounded that a botched fix for a software flaw in an industrial control system built by manufacturing giant Siemens was tied to a security talk getting pulled from a conference. At the time, researchers said Siemens had downplayed the seriousness of the vulnerabilities reported.
While history isn’t repeating itself exactly this week, it certainly is closely rhyming.
About the same time as those flaws were publicly bedeviling Siemens, security software researcher Billy Rios reported an authentication bypass flaw within the company’s software that is used to manage industrial control and critical infrastructure systems. “I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer,” Rios said in a blog post yesterday.
After waiting roughly seven months for a response, or a fix, Rios was recently told, through a Reuters reporter, that Siemens was not aware of “open issues regarding authentication bypass bugs at Siemens.”
After that feedback, Rios decided to take what he knew about the flaws public in this blog post.
In one of the flaws, Rios contends that the default password for a number of services on these Siemens systems was “100.” Also, if a user changes the default password to one that contains a special character, that password may revert back to its default. Additionally, services in the systems (Web, VNC, and Telnet) each maintain their credentials separately, so when one changes the Web default passwords the others remain in default.
Also troubling, Rios said he is able to find “many” of the services for these at-risk Siemens systems available on the Internet.
Rios also claims that session tokens generated by a Siemens Web HMI are fully predictable — making it straightforward for attackers to make their own tokens to use for access without having to know an actual username and password credential.
In an email response to CSOonline, Siemens acknowledged that they knew of the flaws. “We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, [the] first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities,” Siemens said in their reply.
“It’s not surprising to learn that these systems have weak, insecure, and generic administrative passwords. It’s a problem that’s not new,” says Pete Lindstrom, research director at Spire Security. “Systems should force default passwords to be changed on initial log-in.”