Nozomi Networks Publishes Vulnerabilities in Siemens Desigo Devices

Nozomi Networks Publishes Vulnerabilities in Siemens Desigo Devices

Last month, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint Cybersecurity Advisory “Control System Defense: Know the Opponent,” describing Tactics, Techniques, and Procedures (TTPs) malicious actors use to compromise OT/ICS assets. One of the techniques mentioned in the advisory is the MITRE ATT&CK T0832 “Manipulation of View” employed during a cyberattack on the Ukraine power grid. The goal of the attack is to “Degrade the operator’s ability to monitor the targeted system or degrade the operator’s confidence in the control system’s ability to operate, control, and monitor the targeted system. Functionally, an actor could prevent the operator’s display (human machine interface, or HMI) from being updated and selectively update or change visualizations on the HMI […]”.

In May 2022, we published the results of our security research on Siemens PXC4.E16, a building automation system (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In that same research, we also analyzed the companion Siemens PXM30.E, a touch panel with integrated web server designed for the remote monitoring of the BAS.  

In this blog, we disclose seven vulnerabilities (tracked under Siemens SSA-360783) affecting several Desigo Control Point systems from Siemens. These vulnerabilities may allow an attacker to potentially access sensitive information, execute arbitrary commands, launch a Denial-of-Service (DoS) attack, or achieve Remote Code Execution (RCE).

Background

Users can interact with PXM30.E in three main ways:

  1. Remotely via ABT Site, which is a PC-based software that is able to engineer and commission building automation systems from Siemens. ABT Site is used to define building structures, configure automation networks and devices, report on engineering and commissioning status, configure room automation applications, automation stations and intelligent field devices, as well as build graphics for Desigo Control Point (Figure 1);
  1. remotely via the web application exposed by the device itself. Through the web application, an operator can monitor plant functions (alarms, schedulers, calendars, set point changes, display of sensor measurements, etc.), as well as perform maintenance operations on the device itself (Figure 2); and
  1. physically via the device touch panel, which displays a Chromium-based web browser configured to access the same web application that is exposed remotely.
Screenshots of the ABT site
Figure 1. Screenshots of the ABT site
Figure 2. Screenshots PXM30.E web interface

Siemens Vulnerabilities Found

By analyzing the device, we were able to find the following seven vulnerabilities, that affect all three attack surfaces listed above:

  1. CVE-2022-40176: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), CVSS v3.1 8.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
  1. CVE-2022-40177: Exposure of Sensitive Information to an Unauthorized Actor, CVSS v3.1 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
  1. CVE-2022-40178: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), CVSS v3.1 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
  1. CVE-2022-40179: Cross-Site Request Forgery (CSRF), CVSS v3.1 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)
  1. CVE-2022-40180: Cross-Site Request Forgery (CSRF), CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C)
  1. CVE-2022-40181: Improper Neutralization of Encoded URI Schemes in a Web Page, CVSS v3.1 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C)
  1. CVE-2022-40182: Execution with Unnecessary Privileges, CVSS v3.1 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

These vulnerabilities affect the following products and versions:

  • Desigo PXM30-1: All versions < V02.20.126.11-41
  • Desigo PXM30.E: All versions < V02.20.126.11-41
  • Desigo PXM40-1: All versions < V02.20.126.11-41
  • Desigo PXM40.E: All versions < V02.20.126.11-41
  • Desigo PXM50-1: All versions < V02.20.126.11-41
  • Desigo PXM50.E: All versions < V02.20.126.11-41
  • PXG3.W100-1: All versions < V02.20.126.11-37
  • PXG3.W100-2: All versions < V02.20.126.11-41
  • PXG3.W200-1: All versions < V02.20.126.11-37
  • PXG3.W200-2: All versions < V02.20.126.11-41

CVE Analysis

In this section, we will provide details on CVE-2022-40176, CVE-2022-40179 & CVE-2022-40180, and CVE-2022-40181.

CVE-2022-40176

During a restore operation executed through ABT Site, the “sysone” executable running on the device performs the extraction of input packages by:

  1. injecting the compressed file name into an OS system command (with a call to the “snprintf” function, see Figure 3), then
  1. executing it through a Linux shell (with an “execve” system call of “/bin/sh” with the command supplied as argument).

No input filename validation is done before this step. By crafting a file name containing a command substitution syntax and then including it into the restore package, it resulted in a possible arbitrary code execution with root privileges on the device.

Figure 3. CVE-2022-40176

CVE-2022-40179 and CVE-2022-40180

While analyzing the HTTP requests and responses in the web application, we noticed the following endpoints are vulnerable to CSRF:

  • “/api/desigo/eval” and “/api/desigo/evalAll”, which interprets and executes Axon language queries (CVE-2022-40179);
  • “/api/desigo/ext/finstack/fileUpload”, which is responsible for the “Import Files” functionality of the web application (CVE-2022-40180).

These vulnerabilities may not seem very significant however, the web application allows a threat actor to upload packages that include arbitrary JavaScript code. As a result, when chained together, these vulnerabilities provide a remarkably powerful attack primitive. Notably, it was possible to develop a proof-of-concept webpage (Figure 4); if visited by an unaware victim while logged into the device web interface  it could:

  • first implant permanent arbitrary JavaScript code into the device via a CSRF attack;
  • then forcefully redirect the victim to the compromised webpage to trigger the execution of the arbitrary JavaScript code; and
  • finally steals his/her session cookies as well as the password hash.
Figure 4. PoC chaining CVE-2022-40179 and CVE-2022-40180

CVE-2022-40181

When it comes to devices that offer “kiosk” mode functionalities, the Chromium-based web browser is configured to impede users from interacting with the address bar, i.e., users cannot manually enter other Uniform Resource Identifiers (URIs). However, it was noticed that the web browser by itself did not have any restrictions against code-initiated redirections (e.g., via JavaScript), and allowed interactions with alternative URI schemes than the canonical “http” or “https” (e.g., “file”, “chrome”). Additionally, we noticed the browser running as root on the device. Combining all these flaws together, it resulted in possible:

  • abuse of the browser to arbitrarily traverse and read sensitive files on the file system (as illustrated in Figure 5, that shows the RSA private key of the TLS certificate in use by the web application running on the device), or
  • cause of DoS conditions on the touch panel (making it physically unusable) by redirecting the browser to specific Chromium testing URIs designed to make the browser crash (as shown in Figure 6, that depicts the device after opening the “chrome://inducebrowsercrashforrealz” URI).
Examples of attacks enabled by CVE-2022-40181
Figures 5 and 6. Examples of attacks enabled by CVE-2022-40181

Remediations

Siemens has released updates to patch all issues. Please, refer to the official security advisory from Siemens or the product support note 109813821 for more details about how to patch the affected devices.

Summary

HMIs represent a critical target to protect in a production network. As stated in the MITRE ATT&CK T0832, “with a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.” These attack scenarios are not far-fetched, as confirmed by the NSA and CISA joint advisory that cited cyberattacks against HMIs and similar devices as one of the common patterns used by threat actors in real intrusions.

In this blog, we have revealed seven vulnerabilities affecting multiple Siemens Desigo Control Point devices, that may have been abused by adversaries to perform attacks such as access of sensitive information, DoS, or RCE.

We recommend end users promptly update all vulnerable devices by applying the patches released by Siemens. Nozomi Networks has also released specific updates to the Threat Intelligence service to detect exploitation attempts.