PT-2012-45: Username and password disclosure in ActiveX control in Siemens Simatic WinCC WebNavigator

Vulnerable software

Siemens Simatic WinCC WebNavigator
Version: 7.0 SP3 and earlier

Application link:
http://www.siemens.com/

Severity level

Severity level: High
Impact: Username and password disclosure
Access Vector: Remote  

CVSS v2:
Base Score: 8.3
Vector: (AV:N/AC:M/Au:N/C:C/I:P/A:P)

CVE: CVE-2012-3034

Software description

Simatic WinCC is a part of Siemens SIMATIC HMI software that aimed to provide connection between an operator and PLCs that manage technological processes. The WebNavigator component of WinCC gives the users the possibility to control their plants via the web browser with the same look-and-feel like local operator stations.

Vulnerability description

The specialists of the Positive Research center have detected "Username and password disclosure" vulnerability in Siemens Simatic WinCC WebNavigator.

WebNavigator uses ActiveX controls in the user’s browser. The methods of these ActiveX controls can be called by any web site this user visits. By maliciously
parameterizing this method, the attacker can gain access to username and password of the legitimate user.

How to fix

Update your software up to the latest version

Advisory status

16.07.2012 - Vendor is notified
16.07.2012 - Vendor gets vulnerability details
10.09.2012 - Vendor releases fixed version and details
13.09.2012 - Public disclosure

Credits

The vulnerability was discovered by Denis Baranov, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-45
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-864051.pdf

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape