Critical bugs trouble Siemens automation systems

• The flaws exist in SICAM 230, an industrial control system (ICS) by Siemens used in energy-related applications.
• Siemens has recommended users to apply updates for the DRM used in SICAM 230 to patch the issue.

A string of vulnerabilities present in one of Siemens’ automation systems has been identified. SICAM 230, an ICS meant for smart-grid applications is the affected product.

In a security advisory, Siemens has mentioned that the flaws could allow a serious remote code execution (RCE) attack in the automation system. Specifically, SICAM 230’s digital rights management (DRM) solution, known as WibuKey DRM, contained three critical vulnerabilities.

These flaws are marked using the CVSS 3.0 scoring system with the following scores:

• CVE-2018-3989 - 4.3
• CVE-2018-3990 - 9.3
• CVE-2018-3991 - 10.0

Among them, the first vulnerability CVE-2018-3989 -- allows custom I/O request packet to return uninitialized memory thus revealing kernel memory. Similarly, the second one CVE-2018-3990 allows custom I/O request packet to cause a buffer overflow resulting in privilege escalation. The third vulnerability CVE-2018-3991 allowed TCP packets to port 22347/tcp causing a heap overflow. This would ultimately give way for an RCE attack.

Advisories with mitigations released

However, Siemens has urged its customers to update the WibuKey DRM to the latest version provided through WibuKey’s website. Apart from that, the German company has patched flaws found in their other products.

A total of 16 security advisories were published covering various products in their portfolio. Industrial systems such as SIMATIC, SIMOTION, and SINAMIC were found to have vulnerabilities that could permit denial of service attacks.

While some of these were patched through updates, Siemens is currently working on the others and has suggested workaround mitigations to prevent any security incident.