IT specialists working in heavy industry or any other sector that requires substantial operational technology (OT) are long-used to even new kit turning up at their plants from China or elsewhere that is running Windows 7 and/or older unpatched and unsupported versions of sometimes forgotten-by-the-world software.
Even more modern and security aware OT providers can struggle with ensuring their platforms ship with timely patches or mitigation for security issues in software components at the heart of their platforms.
Siemens was one case in point this week, issuing a security advisory with a critical CVSS score of 9.8 for four major products -- yet pushing an official fix for just one of them. All the Siemens security vulnerabilities involved bugs in an open source web server that were reported and fixed upstream in September 2021.
One of the vulnerabilities has been exploited in the wild, Cisco (also affected) confirmed.
Siemens security advisory: Apache HTTP bugs from 2021 to blame
"Multiple vulnerabilities were identified in the Apache HTTP Server software. These include NULL Pointer Dereferencing, Out-of-bounds Write and Server-Side Request Forgery related vulnerabilities.
"Siemens has released an update for the SINEMA Remote Connect Server and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available" the German multinational said late Tuesday June 15.
Products affected include:
- RUGGEDCOM NMS: Enterprise grade network management software
- SINEC NMS: A Network Management System (NMS) to centrally monitor, manage, and configure networks.
- SINEMA Remote Connect is a management platform for remote networks that enables management of VPN connections between headquarters, service technicians, and installed machines or plants.
- SINEMA Server: Network management software for use in Industrial Ethernet networks.
Two of the products (Siemens' "SINEC NMS" and "SINEMA Server V14") are affected by the widely exploited CVE-2021-40438, a critical server-side request forgery (SSRF) vulnerability affecting Apache HTTP Server 2.4.48 and earlier versions for which POCs for pre-auth RCE have widely circulated since late 2021.
CVE-2021-40438 affects all Apache HTTP Server versions up to 2.4.48 are vulnerable if mod_proxy is in use. It is patched in Apache HTTP Server 2.4.49 and later. At the time of the upstream patch's release by the Apache team Rapid7 Labs observed over 4 million potentially vulnerable instances of Apache httpd 2.x.
The vulnerability affected hundreds of products from vendors ranging from Cisco to Red Hat.
The Siemens security advisory comes as an OT security specialist is expected next week to reveal 56 severe OT vulnerabilities in devices from manufacturers including Siemens, Emerson, Honeywell, Motorola and Yokogawa. More than a third of the OT vulnerabilities allow for compromise of credentials, with firmware manipulation coming in second (21%) and remote code execution coming third (14%). More in The Stack on June 21.
In the absence of further patches Siemens urged users to restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only. The company provides an extensive (50-page) set of "Operational Guidelines for Industrial Security [pdf]" meanwhile which includes a call for robust separation between production and office networks with the "link" between the two realised via a separate network, the so called demilitarized zone (DMZ) and access control handled via granular user and group management.