SICAM 230 Process Control System (PCS) Vulnerabilities

By Josh Balentine on February 15, 2019

(By: Josh Balentine on February 16, 2019)

The company Siemens is one of the top suppliers for electrical engineering and electronic related products. The company provides various products that are utilized in Industrial Controls Systems (ICS) that are used in smart grid applications and the Energy Sector, which is one of the 16 Critical Infrastructures designated by the Presidential Policy Directive 21 (PPD-21). On February 12^th, 2019 ICS-CERT released an advisory for the product SICAM 230, which is a PCS that is used for monitoring and controlling processes in its designated field. In the advisory three specific vulnerabilities were outlined and are considered critical. The first vulnerability involves information exposure, which is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information (ICS-CERT, 2019). The next two vulnerabilities involve two different types of buffer overflow, Out-of-Bounds and Heap-Based Overflow. The exploitation of these two exploits can result in memory disclosure or memory corruption, which can allow privilege escalation or remote code execution.

Vulnerable Equipment:

SICAM 230: All Versions 7.20 and prior
WibuKey Digital Rights Management (DRM)

Vulnerability Overview

Information Exposure CVE-2018-3989

A specially crafted I/O request packet (IRP), which are request sent to the device drivers of a device, can cause the driver to return uninitialized memory, which can result in kernel memory disclosure (ICS-CERT, 2019).

Out-Of-Bounds CVE-2018-3991

A specially crafted I/O request packet (IRP) can cause a buffer overflow, where software writes past the end, or before the beginning, of the intended buffer, resulting in kernel memory corruption, which can allow privilege escalation (ICS-CERT, 2019).

Heap-Based Buffer Overflow CVE-2018-3991

A specially crafted Transmission Control Protocol (TCP) packet sent to Port 2234/TCP can cause an overflow in the heap portion of memory, which can lead to remote code execution (ICS-CERT, 2019).

Patches and Updates

Siemens has released updates for some of the affected products and is working on updates for remaining affected products.

Sources

Seals, T., & Seals, T. (2019, February 12). Siemens Warns of Critical Remote-Code Execution ICS Flaw. Retrieved from https://threatpost.com/siemens-critical-remote-code-execution/141768/.

ICS-CERT Landing: CISA. (2019, February 12). Retrieved from https://www.us-cert.gov/ics.

National Institute of Standards and Technology. (2019, February). Retrieved from https://www.nist.gov/.