ID

VAR-201711-0759

CVE

CVE-2017-12737

TITLE

SICAM RTU SM-2556 COM Module Information Disclosure Vulnerability

DESCRIPTION

An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow unauthenticated remote attackers to obtain sensitive device information over the network. The SM-2556 communication module is a protocol component for LAN/WAN communication with a Fast Ethernet interface that can be connected to the SICAM1703 and SICAMRTU substation controllers. Multiple Siemens SICAM RTU Products are prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, to execute arbitrary code or arbitrary HTML or script code in the browser of an unsuspecting user within the context of the affected application. This can allow the attacker to steal cookie-based authentication credentials and aid in further attacks. Siemens SICAM RTUs is a substation controller of Siemens (Siemens) in Germany. SM-2556 COM Modules is used in one of the communication modules for LAN/WAN. Products using the following firmware are affected: ENOS00; ERAC00; ETA2; ETLS00; MODi00; DNPi00. SEC Consult Vulnerability Lab Security Advisory < 20171114-0 > ======================================================================= title: Authentication bypass, cross-site scripting & code execution product: Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 vulnerable version: FW 1549 Revision 07 fixed version: none, see Workaround section below CVE number: CVE-2017-12737 (authentication bypass) CVE-2017-12738 (XSS) CVE-2017-12739 (web server) impact: critical homepage: www.siemens.com found: 2017-08-17 by: SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Siemens is a global powerhouse focusing on the areas of electrification, automation and digitalization. One of the world's largest producers of energy-efficient, resource-saving technologies, Siemens is a leading supplier of systems for power generation and transmission as well as medical diagnosis." Source: https://www.siemens.com/global/en/home/company/about.html Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. The device must not be accessible from untrusted networks. Vulnerability overview/description: ----------------------------------- 1) Authentication Bypass (client-side "authentication" enforcement) The web interface (TCP port 80) suffers from an authentication bypass vulnerability that allows unauthenticated attackers to access arbitray functionality and information (i.e. password lists) available through the webserver. 2) Reflected Cross-Site Scripting The web interface provides a "ping" functionality. This form is vulnerable to reflected cross-site-scripting because of missing input handling and output encoding. 3) Outdated Webserver (GoAhead) The used webserver version contains known weaknesses. Proof of concept: ----------------- 1) Authentication Bypass Use a browser which has JavaScript disabled ("Authentication" checks are performed client-side) and open legitimate URLs directly. Examples: http://<hostname>/start.asp http://<hostname>/pwliste.asp http://<hostname>/goform/webforms_readmem?start_addr=0&length=100 2) Reflected Cross-Site Scripting All parameters in "webforms_ping" are vulnerable to reflected XSS: http://<hostname>/goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1 3) Outdated Webserver The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003) This version has known vulnerabilities: http://aluigi.altervista.org/adv/goahead-adv3.txt https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp Vulnerable / tested versions: ----------------------------- SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00 (FW 1549 Revision 07) Vendor contact timeline: ------------------------ 2017-09-25: Encrypted advisory sent to Siemens ProductCERT 2017-10-02: Requesting status update. 2017-10-09: Vendor states that the "affected device is out of service" and provides workaround (disable webserver). They are "still assessing the next steps". 2017-11-02: Requesting status update. 2017-11-06: Siemens ProductCERT will reach out to development team and keep us posted. 2017-11-08: Siemens ProductCERT prepares advisory. 2017-11-08: Asking about planned release date. 2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14) 2017-11-14: Coordinated public release. Solution: --------- No firmware update is available as the device is no longer supported by the vendor. Workaround: ----------- According to the vendor the webserver can be disabled to mitigate all the vulnerabilities documented in this advisory. The webserver is optional and only used for commissioning and debugging purposes. The vendor published the following document for further information: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Twitter: https://twitter.com/sec_consult EOF SEC Consult Vulnerability Lab / @2017

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

SEC Consult Vulnerability Lab.

SOURCES

LAST UPDATE DATE

2025-04-20T23:25:54.496000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE