By Noam Moshe | June 16, 2022

 

This is the last entry in Team82’s series examining the security of network management systems for the Extended Internet of Things (XIoT). Read our previous reports looking into Nagios XI and Moxa MX View

Executive Summary

  • Team82 is disclosing some information about 15 vulnerabilities it found in Siemens’ SINEC network management system (NMS)
  • The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network including denial-of-service attacks, credential leaks, and remote code execution in certain circumstances.
  • Network management systems hold powerful positions on an OT network, allowing administrators to discover assets, understand their connections and dependencies, manage them, and more. 
  • In this report, Team82 demonstrates how two of these vulnerabilities may chained to ultimately allow an attacker to remotely execute code on the system
  • The first, CVE-2021-33723, allows an attacker to escalate privileges, while the second vulnerability, CVE-2021-33722, enables an attacker to carry out a path-traversal attack and execute code remotely. 
  • All versions before V1.0 SP2 Update 1 are affected; Siemens advises users to update to V1.0 SP2 Update 1 or later version.
  • Siemens has published an advisory that includes update information to new versions of SINEC NMS that address these flaws. See Siemens’ advisory here.

Introduction

Industry 4.0 is driven by connectivity to enable efficiency and 24/7 data exchange between different devices. To be able to provide such functionality, network management systems (NMS) are critical focal points that monitor and maintain industrial network elements. In addition, network data is consumed by process functions over OPC UA and other industrial protocols to enable the correlation of process and network telemetry to ensure process continuity and monitoring. 

Siemens’ SINEC NMS is a popular tool used by operators to understand how Siemens control systems and operations are functioning on the network, how they’re connected and dependent on one another, as well as their status. The diagnostics and network topology generated by the tool allow operators to see and respond to events, improve configurations, monitor device health, and carry out firmware upgrades and configuration changes. 

A network topology visualization generated by Siemens’ SINEC NMS. Source

 

SINEC is in a powerful central position within the network topology because it requires access to the credentials, cryptographic keys, and other secrets granting it administrator access in order to manage devices in the network. 

From an attacker’s perspective carrying out a Living-Off-The-Land type of attack where legitimate credentials and network tools are abused to carry out malicious activity, access to, and control of, SINEC puts an attacker in prime position for: 

  1. Reconnaissance (MITRE TA0043): SINEC holds a network map of all connected devices, including system and configuration information about those devices.
  2. Lateral Movement (MITRE TA0008): SINEC is allowed to access and manage all devices in the network.
  3. Privilege Escalation (MITRE TA0004):  SINEC holds administrators credentials and keys to all managed devices.

A network inventory of devices managed by SINEC NMS. Source

 

Behind the scenes, SINEC has two main system administration services, both written in Java Spring, which can be used to access and configure their devices using a web browser:

  1. CONTROL: A service aimed at setting preferences, creating and managing users, managing versions etc.
  2. OPERATION: A service aimed at operating, scanning, and upgrading network devices.

Team82 researched Siemens SINEC and found 15 unique vulnerabilities, that could allow a user to escalate their permissions, gain administrative rights to the system, leak sensitive information, cause a denial of service on the platform, and even achieve remote code execution on the hosting machine using NT AUTHORITY\SYSTEM privileges.

We chose to demonstrate how we chained two vulnerabilities in order to first escalate our privileges in the system and gain administrative access (CVE-2021-33723), and then obtain a file-write primitive on the system (CVE-2021-33722). Using this primitive, we wrote a malicious webshell on the system’s web root directory and invoked it by accessing it, thus achieving a remote code execution vulnerability.

A diagram demonstrating the vulnerability chain below.

 

Part 1 of the Chain: Account Takeover to Gain Administrative Access

CVE-2021-33723
CWE-285: Account Takeover through Improper Authorization

Team82 identified an account-takeover vulnerability that allows any authenticated user to gain access to the administrator’s account, and to functionality accessible only to administrators of the SINEC system. 

The SINEC permission model is based on group membership; only users of corresponding groups are able to perform certain actions. In general, whenever a user tries to perform an action involving other users, such as creating another user account, viewing another user’s account details and/or changing them, the server requires the user who performed the action to be a member of the administrative group that is allowed to perform those actions.

And indeed, in all routes that involve changing a user’s password, the server correctly checks that the user performing the action is an administrator. However, one action which any user is allowed to perform is changing their own details, email etc. In the routes that handle this request (/edituserprofile), no administrative permissions are required. A user can simply supply a JSON payload containing information about their account, and the server will change the view model of the given user, and the account details. 

However, two problems exist in this route. First, since the user attributes are updated directly through this request, we can supply certain fields that the server did not intend to change, like the user password. By simply supplying a password variable in our request, we change our user’s password. Furthermore, the server does not check whether the user performing the request is actually the user whose account is being edited, thus by supplying an ID and username of the administrative account, we can simply change its password, gaining access to the account.

Part 2 of the Chain: From Admin to RCE

CVE-2021-33722
CWE-22: Remote Code Execution Through Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

After gaining access to the system with administrative privileges, a wide range of functionality was opened to us, and we were able to identify a few vulnerabilities that allowed us to achieve remote code execution on the system.

As part of SINEC’s business logic, an administrator can create containers, which are a bundle of files, ranging from compiled programs, text files, and graphics. The administrator can use these containers and push them to any managed devices they choose. Our vulnerability involves this functionality, specifically the option to export and import those containers to the SINEC platform.

First, we create a container that contains a malicious file we intend to drop on the hosting server’s filesystem, for example an executable file or a webshell. Then, we export this container using the  /exportFWContainers API route. This route takes a container ID, and a name under which it will be exported. The server then takes all of the container’s items (including the malicious file we’ve uploaded to it) and transfers it to a directory under the given name, and finally archives it. However, the files under the given directory name are never deleted.

As it turns out, the server never checks the user-supplied name for the container, and instead moves the container files to a directory under this name. 

We could abuse this by supplying path traversal characters (../) in the given name, thus gaining the ability to copy the files inside this container to arbitrary locations on the host machine’s filesystem.

Abusing this vulnerability, we managed to achieve a simple file-write primitive that allowed us to write arbitrary files on the host’s filesystem. In order to escalate this primitive into a code execution vulnerability, we chose to drop a simple webshell on the target’s web root directory. Since the web server was written in Java, it allowed a .jsp (java server page) to be executed whenever a client requests them through an HTTP request, which meant we could write a malicious .jsp webshell that would allow us to execute arbitrary commands.

 

Proof of Concept

As part of our work, we’ve created a proof-of-concept exploit demonstrating an account-takeover by an unprivileged user, escalating their privileges to an administrator level user and then executing code remotely on the SINEC NMS machine as a high-privileged user (NT AUTHORITY\SYSTEM).

Our PoC running on a vulnerable SINEC server, running remote code on the server with the permissions of NT AUTHORITY\SYSTEM.

 

The Vulnerabilities

The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. 

All versions before V1.0 SP2 Update 1 are affected; Siemens advises users to update to V1.0 SP2 Update 1 or later version. 

CVE-2021-33722
CWE-22: Remote Code Execution through Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

The affected system has a path traversal vulnerability when exporting a firmware container, which could allow a privileged, authenticated attacker to create arbitrary files on an affected system.

CVE-2021-33723
CWE-285: Account Takeover through  Improper Authorization 

An authenticated attacker could change the user profile of any user without proper authorization, which could allow an attacker to change the password of any user in the affected system.

CVE-2021-33724
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

The affected system contains an arbitrary file deletion vulnerability that could allow an attacker to delete an arbitrary file or directory under a user-controlled path.

CVE-2021-33725
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

The affected system allows the deletion of arbitrary files or directories under a user-controlled path and does not correctly check if the relative path is still within the intended target directory. 

CVE-2021-33726
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

The affected system allows the deletion of arbitrary files or directories under a user-controlled path and does not correctly check if the relative path is still within the intended target directory. 

CVE-2021-33727
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

An authenticated attacker could download the user profile of any user, allowing an attacker to leak confidential information.

CVE-2021-33728
CWE-502: Deserialization of Untrusted Data

The affected system allows uploading JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object.

CVE-2021-33729
CWE-89: SQL Injection Vulnerability

An authenticated attacker could import firmware containers to an affected system and execute arbitrary commands in the local database.

CVE-2021-33730
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33731
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33732
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33733 
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33734 
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33735
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

CVE-2021-33736
CWE-89: SQL Injection Vulnerability

A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

 

Team82 would like to thank Siemens for its coordination with us in working through this disclosure, and for its swift response in confirming our findings and swiftly patching these vulnerabilities. Siemens has addressed these issues in security advisory SSA-163251, and recommends its customers to update to the latest released version of SINEC NMS.”