Siemens SPPA-T3000 is used for controlling and supervising electrical generation at major power plants in the U.S., Germany, Russia, and other countries
Positive Technologies experts have discovered a total of 17 vulnerabilities in the SPPA-T3000.
Vladimir Nazarov, Head of ICS Security at Positive Technologies, said: "By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system. Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.”
The vulnerabilities were discovered in two SPPA-T3000 components: application server and migration server.
Seven vulnerabilities were found in the code of the application server. Three of them could enable the execution of arbitrary code. In one case, this is due to use of an insecure Remote Method Invocation (RMI) service; exploiting the vulnerability does not require authentication. Another vulnerability was detected in the Java Management Extensions (JMX) service running on the application server. Availability of an RPC method (Remote Procedure Call), intended for administration and not requiring authentication, is the cause of the third code execution vulnerability.
Another three vulnerabilities in the application server are caused by insufficient authentication for certain services. As a result, an attacker could stop certain containers running inside the system and cause denial-of-service on the server. The seventh vulnerability in the application server allows the uploading arbitrary files without any authorization required.
An additional 10 vulnerabilities were found in the MS-3000 migration server. Of these, two enable remote reading and writing of arbitrary files. For example, an attacker could read /etc/shadow, which contains hashes that could be used for bruteforcing user passwords.
Several heap overflows were identified, which could be exploited as part of denial-of-service (against the migration server) or other attacks.
Companies running SPPA-T3000 systems should install the latest version in order to be secured against these vulnerabilities.
Taking into account the unique requirements of industrial protocols, Positive Technologies offers PT Industrial Security Incident Manager (PT ISIM) and MaxPatrol 8 to detect ICS cyber incidents and vulnerabilities.