Executive Summary
- Team82 is disclosing some information about 15 vulnerabilities it found in Siemens’ SINEC network management system (NMS)
- The vulnerabilities, if exploited, pose a number of risks including denial-of-service attacks, credential leaks, and remote code execution in certain circumstances.
- Network management systems hold powerful positions on an OT network, allowing administrators to discover assets, understand their connections and dependencies, manage them, and more.
- In this report, Team82 demonstrates how two of these vulnerabilities may chained to ultimately allow an attacker to remotely execute code on the system
- The first, CVE-2021-33723, allows an attacker to escalate privileges, while the second vulnerability, CVE-2021-33722, enables an attacker to carry out a path-traversal attack and execute code remotely.
- All versions before V1.0 SP2 Update 1 are affected; Siemens advises users to update to V1.0 SP2 Update 1 or later version.
Introduction
Industry 4.0 is driven by connectivity to enable efficiency and 24/7 data exchange between different devices. To be able to provide such functionality, network management systems (NMS) are critical focal points that monitor and maintain industrial network elements. In addition, network data is consumed by process functions over OPC UA and other industrial protocols to enable the correlation of process and network telemetry to ensure process continuity and monitoring.
Siemens’ SINEC NMS is a popular tool used by operators to understand how control systems and operations are functioning on the network, how they’re connected and dependent on one another, as well as their status. The diagnostics and network topology generated by the tool allow operators to see and respond to events, improve configurations, monitor device health, and carry out firmware upgrades and configuration changes.
A network topology visualization generated by Siemens’ SINEC NMS. Source.
SINEC is in a powerful central position within the network topology because it requires access to the credentials, cryptographic keys, and other secrets granting it administrator access in order to manage edge devices.
From an attacker’s perspective carrying out a Living-Off-The-Land type of attack where legitimate credentials and network tools are abused to carry out malicious activity, access to, and control of, SINEC puts an attacker in prime position for:
A network inventory of devices managed by SINEC NMS. Source.
Behind the scenes, SINEC has two main system administration services, both written in Java Spring, which can be used to access and configure their devices using a web browser:
- CONTROL: A service aimed at setting preferences, creating and managing users, managing versions etc.
- OPERATION: A service aimed at operating, scanning, and upgrading network devices.
Team82 researched Siemens SINEC and found 15 unique vulnerabilities, that could allow a user to escalate their permissions, gain administrative rights to the system, leak sensitive information, cause a denial of service on the platform, and even achieve remote code execution on the hosting machine using NT AUTHORITY\SYSTEM privileges.
We chose to demonstrate how we chained two vulnerabilities in order to first escalate our privileges in the system and gain administrative access (CVE-2021-33723), and then obtain a file-write primitive on the system (CVE-2021-33722). Using this primitive, we wrote a malicious webshell on the system’s web root directory and invoked it by accessing it, thus achieving a remote code execution vulnerability.
Part 1 of the Chain: Account Takeover: Gaining Administrative Access
CVE-2021-33723
CWE-285: Account Takeover through Improper Authorization
Team82 identified an account-takeover vulnerability that allows any authenticated user to gain access to the administrator’s account, and to functionality accessible only to administrators of the SINEC system.
The SINEC permission model is based on group membership; only users of corresponding groups are able to perform certain actions. In general, whenever a user tries to perform an action involving other users, such as creating another user account, viewing another user’s account details and/or changing them, the server requires the user who performed the action to be a member of the administrative group that is allowed to perform those actions.
And indeed, in all routes that involve changing a user’s password, the server correctly checks that the user performing the action is an administrator. However, one action which any user is allowed to perform is changing their own details, email etc. In the routes that handle this request (/edituserprofile), no administrative permissions are required. A user can simply supply a JSON payload containing information about their account, and the server will change the view model of the given user, and the account details.
However, two problems exist in this route. First, since the user attributes are updated directly through this request, we can supply certain fields that the server did not intend to change, like the user password. By simply supplying a password variable in our request, we change our user’s password. Furthermore, the server does not check whether the user performing the request is actually the user whose account is being edited, thus by supplying an ID and username of the administrative account, we can simply change its password, gaining access to the account.
Part 2 of the Chain: From Admin to RCE
CVE-2021-33722
CWE-22: Remote Code Execution Through Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
After gaining access to the system with administrative privileges, a wide range of functionality was opened to us, and we were able to identify a few vulnerabilities that allowed us to achieve remote code execution on the system.
As part of SINEC’s business logic, an administrator can create containers, which are a bundle of files, ranging from compiled programs, text files, and graphics. The administrator can use these containers and push them to any managed devices they choose. Our vulnerability involves this functionality, specifically the option to export and import those containers to the SINEC platform.
First, we create a container that contains a malicious file we intend to drop on the hosting server’s filesystem, for example an executable file or a webshell. Then, we export this container using the /exportFWContainers API route. This route takes a container ID, and a name under which it will be exported. The server then takes all of the container’s items (including the malicious file we’ve uploaded to it) and transfers it to a directory under the given name, and finally archives it. However, the files under the given directory name are never deleted.
As it turns out, the server never checks the user-supplied name for the container, and instead moves the container files to a directory under this name.
We could abuse this by supplying path traversal characters (../) in the given name, thus gaining the ability to copy the files inside this container to arbitrary locations on the host machine’s filesystem.
Abusing this vulnerability, we managed to achieve a simple file-write primitive that allowed us to write arbitrary files on the host’s filesystem. In order to escalate this primitive into a code execution vulnerability, we chose to drop a simple webshell on the target’s web root directory. Since the web server was written in Java, it allowed a .jsp (java server page) to be executed whenever a client requests them through an HTTP request, which meant we could write a malicious .jsp webshell that would allow us to execute arbitrary commands.
Proof of Concept
As part of our work, we’ve created a proof-of-concept exploit demonstrating an account-takeover by an unprivileged user, escalating their privileges to an administrator level user and then executing code remotely on the SINEC NMS machine as a high-privileged user (NT AUTHORITY\SYSTEM).
Our PoC running on a vulnerable SINEC server, running remote code on the server with the permissions of NT AUTHORITY\SYSTEM
Vulnerabilities
The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions.
All versions before V1.0 SP2 Update 1 are affected; Siemens advises users to update to V1.0 SP2 Update 1 or later version.
CWE-22: Remote Code Execution through Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The affected system has a path traversal vulnerability when exporting a firmware container, which could allow a privileged, authenticated attacker to create arbitrary files on an affected system.
CWE-285: Account Takeover through Improper Authorization
An authenticated attacker could change the user profile of any user without proper authorization, which could allow an attacker to change the password of any user in the affected system.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
The affected system contains an arbitrary file deletion vulnerability that could allow an attacker to delete an arbitrary file or directory under a user-controlled path.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
The affected system allows the deletion of arbitrary files or directories under a user-controlled path and does not correctly check if the relative path is still within the intended target directory.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
The affected system allows the deletion of arbitrary files or directories under a user-controlled path and does not correctly check if the relative path is still within the intended target directory.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
An authenticated attacker could download the user profile of any user, allowing an attacker to leak confidential information.
CWE-502: Deserialization of Untrusted Data
The affected system allows uploading JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object.
CWE-89: SQL Injection Vulnerability
An authenticated attacker could import firmware containers to an affected system and execute arbitrary commands in the local database.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
CWE-89: SQL Injection Vulnerability
A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
Team82 would like to thank Siemens for its coordination with us in working through this disclosure, and for its swift response in confirming our findings and swiftly patching these vulnerabilities.