Siemens Stuxnet patch does not provide sufficient protection
The Siemens SIMATIC Security Update for protecting WinCC systems against Stuxnet infections doesn't close the actual hole in the SQL server configuration. It only prevents the known Stuxnet variants from working. As IT forensics expert Oliver Sucker demonstrates (German language link) in a video, only a few steps are required to bypass the protection and regain full remote access to a WinCC system,.
The issue is based around the hard-coded access data for the WinCC system's Microsoft SQL database. The Stuxnet worm uses this data to log into further systems from another infected system. There, it uses the integrated xp_cmdshell command shell to access the underlying Windows operating system at system privilege level from the database.
The SIMATIC update prevents the database from executing commands via xp_cmdshell by switching the pertaining configuration option from 1 to 0. According to Sucker, however, the privileges of the hard-coded WinCCAdmin database user are so comprehensive that an attacker can use a few trivial SQL commands to switch the setting back from 0 to 1 after logging in. This will re-enable the execution of commands via the command shell. Sucker has so far not disclosed the exact SQL commands required.
When asked by The H's associates at heise Security, Siemens refused to comment on the issue. Siemens spokesman Gerhard Stauss said in an email, "Our (latest) official statement to the effect that we are investigating ways of tightening authentication procedures remains in place". Until Siemens decides to improve its authentication by allowing the definition of custom access credentials, users can only hope that there will be no further Stuxnet variants or hacker attacks.
Sucker's analysis also produced another interesting result: It is possible to immunise a system against the Stuxnet worm. According to Sucker, this only requires a specific registry key to be put in place. During start-up, Stuxnet checks whether this key exists and whether a certain value is set. If this is the case, the worm shuts itself down without further activity. Sucker is providing the required information to WinCC users on request.
Meanwhile, Siemens has updated its global industrial infection figures. Siemens states on its web site "In the three months since Stuxnet appeared for the first time, a total of 19 Siemens customers worldwide from an industrial environment have reported an infection with the Trojan". Reportedly, in no case did Stuxnet attempt to influence control software.
See also these further reports on the Stuxnet worm from The H:
- Stuxnet strikes China
- Stuxnet brings more new tricks to cyberwar
- Iran confirms Stuxnet cyber attack
- Vulnerability exploited by Stuxnet discovered more than a year ago
- Stuxnet also found at industrial plants in Germany
- Stuxnet worm can control industrial systems