Siemens industrial control systems designed specifically for energy plant gear are riddled with dozens of security vulnerabilities that are, luckily enough, tricky to exploit from the outside.
The teams at Positive Technologies, Kaspersky Lab, and Biznet Bilisim took credit for finding and reporting 54 CVE-listed flaws in the SPPA-T3000 (PDF), an application server that handles the management of power plant controllers.
According to Siemens this week, the control system is "mostly used in fossil and large scale renewable power plants." The vulnerable components are usually protected by a firewall, meaning a hacker would most likely have to be positioned appropriately on the local network to exploit the bugs.
Crucially, the miscreant would need access to a so-called highway component behind the firewall before they could attack the app server. At which point, they could most likely cause mischief anyway – though it would be great if there weren't any security holes that could allow for stealthy and unauthorized exploitation, a la Stuxnet.
"Exploitation of the vulnerabilities described in this advisory requires access to either Application- or Automation Highway," Siemens explained. "Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual."
As we have seen, getting onto these internal networks is something hackers have been able to do, though.
Among the more serious flaws is CVE-2019-18283 and CVE-2019-18284, flaws that do not require any authentication to exploit. "The AdminService is available without authentication on the Application Server," Siemens said of these flaws. "An attacker can gain remote code execution by sending specifically crafted objects to one of its functions."
Other bugs include CVE-2018-4832 and CVE-2019-18289, two denial of service vulnerabilities (not something you want happening to a power plant control console), and CVE-2019-18288, a code execution bug involving the insecure handling of file uploads.
"By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system," said Vladimir Nazarov, head of the Positive Technologies ICS unit that discovered and reported 17 of the flaws.
"Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed."
So far, Siemens says it has only been able to patch three of the bugs. Siemens recommends administrators lock down the server from any sort of external network access. ®