Siemens has just released a firmware update for the 7KT PAC1200 Siemens smart meters that addresses a critical vulnerability.
Siemens has just released a firmware update for the 7KT PAC1200 Siemens smart meters to fix a critical vulnerability that can be exploited by remote attackers to bypass authentication and perform administrative actions on the device.
The KT PAC1200 multichannel measuring devices belong to the Siemens SENTRON energy management family that have been designed to monitor energy consumption using sensors to collect data. Data gathered by Siemens smart meters can be viewed via a desktop web browser or mobile applications for Android and iOS.
The flaw tracked as CVE-2017-9944 was discovered by the researcher Maxim Rupp, it affects the web server integrated into the Siemens smart meters. The vulnerability allows a remote attacker to bypass authentication using an alternate path or channel, exploiting the issue it is possible to access the web interface and perform administrative operations.
The web interface of Siemens smart meters provides useful information to the users, including power consumption statistics for a specified period and budget monitoring.
The vulnerability affects 7KT PAC1200 data manager running a version of the firmware prior to 2.03.
“Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and perform administrative functions.” states the security advisory published by the US ICS-CERT.
Siemens urges its customers to update their devices to version 2.03 and to protect network access to the web server with appropriate mechanisms.
“Siemens provides firmware Version V2.03 for 7KT PAC1200 data manager (7KT1260) from the SENTRON portfolio, which fixes the vulnerability and recommends users update to the new fixed version. The firmware update V2.0.3 for 7KT PAC1200 data manager (7KT1260) from the SENTRON portfolio can be found on the Siemens web site at the following location:
“As a general security measure, Siemens strongly recommends protecting network access to the devices with appropriate mechanisms. Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.