Claroty reveals 15 vulnerabilities in Siemens' SINEC NMS

Claroty has released new research detailing 15 vulnerabilities that were found in Siemens’ SINEC network management system (NMS).

Siemens’ SINEC NMS is a popular tool used by operators to understand how control systems and operations are functioning on the network, how they’re connected and dependent on one another, and what their status is. The diagnostics and network topology generated by the tool allow operators to see and respond to events, improve configurations, monitor device health, and carry out firmware upgrades and configuration changes.

SINEC is in a powerful central position within the network topology because it requires access to the credentials, cryptographic keys, and other secrets granting it administrator access in order to manage edge devices.

From an attacker’s perspective carrying out a Living-Off-the-Land type of attack where legitimate credentials and network tools are abused to carry out malicious activity, access to, and control of, SINEC puts an attacker in prime position for:

1. Reconnaissance (MITRE TA0043): SINEC holds a network map of all connected edge devices, including system and configuration information about those devices.
2. Lateral movement (MITRE TA0008): SINEC is allowed to access and manage all edge devices in the network.
3. Privilege escalation (MITRE TA0004): SINEC holds administrators’ credentials and keys to all managed edge devices.

Successful exploitation of the disclosed vulnerabilities could lead to denial-of-service attacks, credential leaks and remote code execution. This could cause disruptions and downtime in the industrial/OT networks that underpin all kinds of critical infrastructure — manufacturing plants, water utilities, oil pipelines, power grids, etc. All users are urged to immediately update to V1.0 SP2 Update1 or a later version.

The vulnerabilities

Behind the scenes, SINEC has two main system administration services, both written in Java Spring, which can be used to access and configure their devices using a web browser:

1. CONTROL: A service aimed at setting preferences, creating and managing users, managing versions etc.
2. OPERATION: A service aimed at operating, scanning, and upgrading network devices.

Team82 researched Siemens SINEC and found 15 unique vulnerabilities, that could allow a user to escalate their permissions, gain administrative rights to the system, leak sensitive information, cause a denial of service on the platform, and even achieve remote code execution on the hosting machine using NT AUTHORITY\SYSTEM privileges.

Claroty says Team82 has been able to demonstrate how two vulnerabilities can be chained in order to first escalate privileges in the system and gain administrative access (CVE-2021-33723), and then obtain a file-write primitive on the system (CVE-2021-33722). Using this primitive, the team wrote a malicious webshell on the system’s web root directory and invoked it by accessing it, thus achieving a remote code execution vulnerability.

More details on the 15 vulnerabilities involved and Claroty’s research can be found here.

Image: ©stock.adobe.com/au/sasun Bughdaryan