Ilya Karpov of Russian security outfit Positive Technologies has reported nine vulnerabilities in Siemens industrial control system kit used in critical operations from petrochemical labs and power plants up to the Large Hadron Collider.
The holes, now patched, also include two for Schneider Electric kit and cover a mix of remote and local exploits that can grant attackers easy and valuable system access.
The vulnerabilities (CVE-2015-2823) achieve a severity rating of 6.8 and allow remote net pests to authenticate using a password hash but not the associated password.
It affects a variety of specialist SIMATIC WinCC products including Runtime Professional, HMI Mobile Panels, and HMI Basic Panels.
WinCC is used across a large swath of industrial sectors under different conditions and security arrangements that impact vulnerabilities found in the kit.
The US computer emergency response team says the vulnerabilities include man-in-the-middle for attackers accessing the network path between Programmable Logic Controllers, and their communication partners, and a denial of service for bad guys inbetween a Human Machine Interface panel and a PLC.
“An attacker with medium skill level would be able to exploit these vulnerabilities [and] could conduct man-in-the-middle attacks, denial‑of‑ service attacks, and possibly authenticate themselves as valid users,” the agency warns.
“ICS-CERT recommends that organisations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
The Positive Technology researchers are gurus in hacking industrial control and SCADA systems. Last year they discovered flaws in WinCC kit, also used in the Iran’s Natanz nuclear plant targeted by Stuxnet and in monitoring systems for the Large Hadron Collider, that allowed industrial systems to be compromised.