-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-747162: Cross-Site Scripting Vulnerability in Spectrum Power™

Publication Date:        2019-07-09
Last Update:             2019-08-13
Current Version:         1.1
CVSS v3.0 Base Score:    4.7

SUMMARY
=======

A Cross-Site Scripting (XSS) vulnerability was found in the WebSDK
component of Spectrum Power™ 3, 4, 5 and 7.

A software update is available to address the issue and Siemens
recommends installing the patch.


AFFECTED PRODUCTS AND SOLUTION
==============================


* Spectrum Power 3 (Corporate User Interface) 
  - Affected versions:
       All versions <= v3.11
  - Remediation:
       Please contact Siemens Energy Customer Support Center at:
       support.energy@siemens.com or your local Siemens representative.

* Spectrum Power 4 (Corporate User Interface) 
  - Affected versions:
       Version v4.75
  - Remediation:
       Please contact Siemens Energy Customer Support Center at:
       support.energy@siemens.com or your local Siemens representative.

* Spectrum Power 5 (Corporate User Interface) 
  - Affected versions:
       All versions < v5.50
  - Remediation:
       Please contact Siemens Energy Customer Support Center at:
       support.energy@siemens.com or your local Siemens representative.

* Spectrum Power 7 (Corporate User Interface) 
  - Affected versions:
       All versions <= v2.20
  - Remediation:
       Please contact Siemens Energy Customer Support Center at:
       support.energy@siemens.com or your local Siemens representative.


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Do not allow Internet access for Spectrum Power UI clients.
  
* Users should be trained to avoid clicking on unknown links.
  


GENERAL SECURITY RECOMMENDATIONS
================================

Operators of critical power systems (e.g. TSOs) worldwide are usually
required by regulations to build resilience into the power grids by
applying multi-level redundant secondary protection schemes. It is
therefore recommended that the operators check whether appropriate
resilient protection measures are in place. The risk of cyber incidents
impacting the grid's reliability can thus be minimized by virtue of the
grid design.

Siemens strongly recommends applying the provided security updates using
the corresponding tooling and documented procedures made available with
the product. If supported by the product, an automated means to apply
the security updates across multiple product instances may be used.
Siemens strongly recommends prior validation of any security update
before being applied, and supervision by trained staff of the update
process in the target environment.

As a general security measure Siemens strongly recommends to protect
network access with appropriate mechanisms (e.g. firewalls,
segmentation, VPN). It is advised to configure the environment according
to our operational guidelines in order to run the devices in a protected
IT environment.

Recommended security guidelines to Secure Substations can be found at:

https://www.siemens.com/gridsecurity

PRODUCT DESCRIPTION
===================

Spectrum Power™ 3 SCADA applications provide functions required for
monitoring, alarming, measuring, calculating, archiving and safe
supervisory control based on analog and digital measurements,
accumulator values, and momentaries.

Spectrum Power™ 4 provides basic components for SCADA, communications,
and data modeling for control and monitoring systems. Application suites
can be added to optimize network and generation management for all areas
of energy management.

Spectrum Power™ 5 is used for the automation of power supply networks in
industry and for gas, water, district heating, and power supply grids
operated by public utilities.

Spectrum Power™ 7 was developed for energy management in power
transmission and distribution systems as well as for controlling railway
power supply systems.



VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS 
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be 
individually defined by the customer to accomplish final scoring.


* Vulnerability CVE-2019-10933

  The web server could allow Cross-Site Scripting (XSS) attacks if
  unsuspecting users are tricked into accessing a malicious link.
  
  User interaction is required for a successful exploitation. The user
  does not need to be logged into the web interface in order for the
  exploitation to succeed.
  
  At the stage of publishing this security advisory no public exploitation
  is known.

  CVSS v3.0 Base Score: 4.7
  CVSS v3.0 Vector:     CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:P/RL:O/RC:C


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * İsmail Mert AY AK from Biznet Bilişim A.Ş. for coordinated disclosure
   * CISA-Industrial Control System Vulnerability Disclosure team for coordination efforts



ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and 
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2019-07-09): Publication Date
V1.1 (2019-08-13): Corrected version information for Spectrum Power 5

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJdUf2AAAoJELtnleqOVdUupiMP/i28lYSvI9Uzoz7mcSOy5m3j
kGUI0dU9sz/pmk/IIxHx1Syge/Zkx1EEDErwhYYonsKxsaNngd+6OO6pUXWXNi4/
x0B70OP/M+HW6ciUmmrqi17wjAiq6kcak5FGN1kn0FspKQQ2Vift6J/Uv1Dv+8zJ
MX/r57XgWpNlJfyItu9SegnYW42ByNHWNU+zmO99jiEjgc24oavluEQKtMQaCoYR
t6kykXNUHHO0IU90Ps9ubOaIUzJqSzoi0YEunkv1OuZrvEER4NE63RrytVTvNHiZ
Js0UTIZVo+Db62GOTt4PiXzhoGMKSD/mzoAdOAF2Jey7barOtXq/NXeHJ8Gj5xIQ
ABb+O0BD05tSkEWtsxF9kalAa5ZTAEcLzP78KvNaOgbczDYhVkjSruPG3Zatpbgc
0rJ/qvfzL5eZwgSsIKPitJTzfFrLSaNLZUCoBjCCWjlF0/t/HYWlDrtLYdgiQSh1
JlgKbu+bnWtP+5izRRf8+0keg9uUhmyzxzpldKLuct4+2d1D99UHhAnipeVKuVN7
28y07eUWzJrH1O02trsFdmxfariM2CeD8zB2J2Mf3S7I3IK7KVD3XT5dPsNOXYDh
Z7cPkBGvn6qX00HkfYJzvJ75jhfVe35fM3LhLw6xb8NA5zdBZ81Ke6hJ5PHEbnPP
rHMbPqMNIGMl3Iq3lhUi
=HIEC
-----END PGP SIGNATURE-----