Siemens informed customers that the SPPA-T3000 Application Server is affected by 19 vulnerabilities and the SPAA-T3000 MS3000 Migration Server is impacted by 35 security issues.
Some of the vulnerabilities have been rated as critical and could be exploited by attackers to trigger a denial-of-service (DoS) condition or to execute arbitrary code on the server.
Siemens pointed out that in order to exploit the vulnerabilities, an attacker requires access to the Application Highway or the Automation Highway.
“SPPA-T3000 Application Server and MS3000 Migration Server are affected by multiple vulnerabilities. Some of the vulnerabilities can allow an attacker to execute arbitrary code on the server.” reads the security advisory published by Siemens.”Exploitation of the vulnerabilities described in this advisory requires access to either Application- or Automation Highway. Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual.”
Most of the vulnerabilities were reported by researchers at Kaspersky and Positive Technologies in October 2018 and December 2018, other issues were discovered by an expert from Turkish firm Biznet Bilişim.
“By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system. Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.” said Vladimir Nazarov, Head of ICS Security at Positive Technologies.
Waiting for a fix from Siemens, customers should implement a series of mitigations:
Siemens said that it is not aware of attacks in the wild that exploited one of these flaws.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.