ICS Executive Summary for Week of July 21, 2017

Authentication Bypass Vulnerability Found in Siemens SiPass Integrated Server

Siemens has patched vulnerabilities found in their SiPass integrated server.  Siemens SiPass integrated is an access control system used in a variety of environments, such as hospitals and manufacturing operations.  It’s meant to manage physical access control such as door modules, card readers, and video surveillance.  

Siemens SiPass Mifare Card Reader (Source: Siemens SiPass)

The vulnerabilities found ranged from a CVSS score of 6.2 all the way to 9.8 (out of the maximum of 10).  The most critical of these was CVE-2017-9939, an improper authentication vulnerability, which could allow an attacker to bypass authentication and have administrative control as long as they had network access to the SiPass integrated server.  

The were three other vulnerabilities also patched in this update.  CVE-2017-9940, improper privilege management, allowed an attacker with access to a low-privileged user account to read and write files on the file system over the network.  CVE-2017-9941, a man-in-the-middle attack, and CVE-2017-9942, storing passwords in a recoverable format, were also addressed. 

All versions prior to V2.70 are affected by these vulnerabilities.  Users are highly advised to update as soon as possible through Siemens customer support or from authorized partners.  Siemens Security Advisory SSA-339433 provides additional detailed information on the vulnerabilities as well as some actions users can take to mitigate damages.

In addition to the update, ICS-CERT advises users to take the following actions to help defend against being compromised:

• Minimize network exposure for all control system devices and/or systems.
• Locate all control system networks and remote devices behind firewalls, and isolate them from the business network.
• If remote access is required, use secure methods, such as VPNs (Virtual Private Networks).  

Sources: Advisory ICSA-17-194-01 – Siemens SiPass integrated (ICS-CERT), SSA-339433: Vulnerabilities in SiPass Integrated (Siemens), Siemens Patches Authentication Bypass Flaw in SiPass Server (ThreatPost)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu