Pierluigi Paganini December 13, 2019

Experts discovered tens of flaws in the Siemens SPPA-T3000 control systems that could be exploited to attack fossil and renewable power plants.

Siemens informed customers that the SPPA-T3000 Application Server is affected by 19 vulnerabilities and the SPAA-T3000 MS3000 Migration Server is impacted by 35 security issues.

Some of the vulnerabilities have been rated as critical and could be exploited by attackers to trigger a denial-of-service (DoS) condition or to execute arbitrary code on the server.

Siemens pointed out that in order to exploit the vulnerabilities, an attacker requires access to the Application Highway or the Automation Highway.

“SPPA-T3000 Application Server and MS3000 Migration Server are affected by multiple vulnerabilities. Some of the vulnerabilities can allow an attacker to execute arbitrary code on the server.” reads the security advisory published by Siemens.”Exploitation of the vulnerabilities described in this advisory requires access to either Application- or Automation Highway. Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual.”

Most of the vulnerabilities were reported by researchers at Kaspersky and Positive Technologies in October 2018 and December 2018, other issues were discovered by an expert from Turkish firm Biznet Bilişim.

“By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system. Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.” said Vladimir Nazarov, Head of ICS Security at Positive Technologies.

Experts also reported some vulnerabilities that could allow attackers to get the user passwords and change it, to escalate privileges to root, to enumerate usernames, to obtain directory listings and files, to enumerate running RPC services, to upload arbitrary files without authentication, to read and write arbitrary files on the local file system, to access paths and filenames on the server, to access logs files, and to access configuration files.

Waiting for a fix from Siemens, customers should implement a series of mitigations:

• Implement mitigations described in the SPPA-T3000 security manual
• Restrict access to the Application Highway using the SPPA-T3000 Firewall
• External components should be connected only to the SPPA-T3000 DMZ; no bridging of an external network to either the Application- or Automation highways is allowed
• Perform regular updates of the SPPA-T3000 (e.g. Security Server if available)
• Implement mitigations provided in the customer information letter distributed via the customer service portal
• Please contact your local Siemens representative if you need help securing your SPPA-T3000 installation

Siemens said that it is not aware of attacks in the wild that exploited one of these flaws.

Pierluigi Paganini

(SecurityAffairs – Siemens SPPA-T3000, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]