-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-884497: Multiple Vulnerabilities in SINEMA Remote Connect Server Publication Date: 2019-09-10 Last Update: 2019-09-10 Current Version: 1.0 CVSS v3.0 Base Score: 8.1 SUMMARY ======= The latest update for SINEMA Remote Connect Server fixes four vulnearbilities in the web interface. Two of the vulnerabilities are missing protection mechanisms for password guessing and for Cross Site Request Forgery attacks, the third one is a missing authentication check, and the fourth one could allow an attacker with administrative privileges to obtain a device password hash. Siemens has released updates and recommends to update to the newest version. AFFECTED PRODUCTS AND SOLUTION ============================== * SINEMA Remote Connect Server - Affected versions: All versions < V2.0 SP1 - Remediation: Update to V2.0 SP1 - Download: https://support.industry.siemens.com/cs/ww/en/view/109770899 WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Restrict network access to the SINEMA Remote Connect web interface * Do not access links from untrusted sources while logged in at SINEMA Remote Connect GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SINEMA Remote Connect ensures management of secure connections (VPN) between headquarters, service technicians and the installed machines or plants. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. * Vulnerability CVE-2019-13918 The web interface has no means to prevent password guessing attacks. The vulnerability could be exploited by an attacker with network access to the vulnerable software, requiring no privileges and no user interaction. The vulnerability could allow full access to the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known. CVSS v3.0 Base Score: 8.1 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C * Vulnerability CVE-2019-13919 Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known. CVSS v3.0 Base Score: 4.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C * Vulnerability CVE-2019-13920 Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known. CVSS v3.0 Base Score: 3.4 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N/E:P/RL:O/RC:C * Vulnerability CVE-2019-13922 An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known. CVSS v3.0 Base Score: 6.6 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:H/E:P/RL:O/RC:C ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * Hendrik Derre and Tijl Deneut from HOWEST for coordinated disclosure ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2019-09-10): Publication Date TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfwRu2jOObZSjqkl0u2eV6o5V1S4FAl1254AACgkQu2eV6o5V 1S5AAhAAgtTUBBwMcBH43MniMbJEntHOWkco0JJ/DFP6ifMSpvYRMn6Zw35Cr1n7 SwLsNVygKKRW3eiNL8gyeLv+dymjEUfW4SB3Mi1Zuem8l8mYMMZNkYWRvJ2bkPzZ R7AHjWbiudlei3CXwliaQNE9mRnPN46zpLWoAEcZxBiUFoCrgqPs8Odj2cq/BWLJ TxVaAl6HW6m7kykhIKDWyZ1FSXivbuqXiPv0ZM2cT0HXG/3Au1T01vAssBPeewrS WAd16XgVORDHBkkYb7MscBXuQLVfB72c1CfVvp7gtuKX08PMkgWEJhd7IImBRdaa dSh2jGyYsZXklJfk7/cmCfdJjjpoDQytXrqLa7TptM1z9fKfzO2IyGA5h/2/Sgxi zRloH08bCwFAcs5SJ0BGhRkDxjKVuxH8pTDYmIl2i1IqIm+oDGkWuCbFNVNX7+Go Q1qDkmbcgfF4uyuqAooZCHrSZ6Wj7cZI6kZeplBrdoa8A3Rkp63JPo5uQT588lKV cQO69qnWQsVaDe8rihjiU/CIyZjwyuw+4K0isuO63Sz+CnvO2HLU45aKT2ibO60b mjdq8ZFRhJzh2BTCJWybiC2ldOGMJGDmt95J3HTUqNJ4mYfUp1Kcj8y5A3FwgynR Kuh7q2CTV0x2QpriCjtQiU0vpmC/W63p+AN1emiUEET9auofhns= =IXhu -----END PGP SIGNATURE-----