Siemens issues Stuxnet hole warnings

Siemens says it has closed the holes in its Simatic STEP7 and Simatic WinCC software which are believed to have been used by the Stuxnet worm to sabotage the Iranian nuclear program and is now warning users of the problems. Two advisories issued by the company "address vulnerabilities first discovered in 2010" and says that software updates in 2010 and 2011 addressed both vulnerabilities.

Although not referring to Stuxnet by name, the 2010 date makes Siemens reported discovery date contemporaneous with the appearance of Stuxnet. The worm was later discovered to be specifically targetted at SCADA equipment and is reported to have been a creation of US and Israel intelligence operations designed to stop or slow Iran's nuclear fuel refinement projects.

The STEP7 advisory, SSA-110665, details the software's vulnerability to DLL hijacking which allowed attackers to place malicious library files into STEP7 project folders and have them loaded into STEP7 and executed with the permissions of the STEP7 application. The fix now excludes DLL files in the project folder from being loaded.

The WinCC advisory, SSA-027844, addresses how the WinCC software used pre-defined administrator SQL server credentials embedded in the software. These credentials could not be changed or disabled by the user and allowed an attacker remote access to the database server with administrative privileges. The fix for this switches the authentication code over to using Windows authentication mechanisms.

Both advisories "strongly recommend" that users install the appropriate updates as soon as possible. No explanation was given as to why the company delayed publicly issuing advisories for over a year after releasing updates for the software, though both appear to have been revised a number of times as they carry version numbers of 1.3 and 1.4.

(djwm)