{"id":1609,"date":"2015-01-15T16:30:50","date_gmt":"2015-01-15T14:30:50","guid":{"rendered":"http:\/\/www.zerberos.com\/?p=346"},"modified":"2015-01-15T16:30:50","modified_gmt":"2015-01-15T14:30:50","slug":"siemens-ios-apps-fuer-industriesteuerung-luecken-geschlossen","status":"publish","type":"post","link":"https:\/\/www.netsolution.ch\/en\/2015\/01\/siemens-ios-apps-fuer-industriesteuerung-luecken-geschlossen\/","title":{"rendered":"Siemens iOS Apps f\u00fcr Industriesteuerung: Sicherheitsl\u00fccken geschlossen"},"content":{"rendered":"

\"siemens_simatic_wincc\"<\/a>Die Apps<\/a> von Siemens dienen zur Steuerung von Industrieanlagen (das zu steuerndeSCADA-System WinCC \u00a0wird u.a. auch in Atomkraftwerken verwendet) – und wiesen einige Sicherheitsl\u00fccken auf: so konnte das Passwort welches beim Start der Apps abgefragt wurde aus dem Ger\u00e4t extrahiert werden, ebenfalls die Zugangsdaten zum\u00a0Sm@rtServer mit welchem die App verbindet:<\/p>\n

Vulnerability 1<\/strong> (CVE-2014-5231)
\nThe existing storage mechanism for the application specific password could allow
\nattackers to extract the password and gain access to the application if local access is
\navailable.
\nCVSS Base Score 4.6
\nCVSS Temporal Score 3.6
\nCVSS Overall Score 3.6 (AV:L\/AC:L\/Au:N\/C:P\/I:P\/A:P\/E:POC\/RL:OF\/RC:C)
\nVulnerability 2<\/strong> (CVE-2014-5232)
\nIn case an application specific password is set, the user would not be prompted to enter
\nthe password if the App was resumed from the background.
\nCVSS Base Score 4.6
\nCVSS Temporal Score 3.6
\nCVSS Overall Score 3.6 (AV:L\/AC:L\/Au:N\/C:P\/I:P\/A:P\/E:POC\/RL:OF\/RC:C)
\nVulnerability 3<\/strong> (CVE-2014-5233)
\nThe implemented mechanism to process Sm@rtServer credentials could allow attackers
\nto extract the credentials if local access is available.
\nCVSS Base Score 4.6
\nCVSS Temporal Score 3.6
\nCVSS Overall Score 3.6 (AV:L\/AC:L\/Au:N\/C:P\/I:P\/A:P\/E:POC\/RL:OF\/RC:C) Siemens Security Advisory by Siemens ProductCERT<\/p>\n

Mitigating factors:<\/strong>
\nAttackers can only take advantage of the above mentioned vulnerabilities if they have
\nlocal access to the mobile device running the affected Apps.<\/p>\n

Im App Store ist inzwischen eine neuere Version verf\u00fcgbar.<\/p>\n

 <\/p>\n

Zerberos pr\u00fcft Ihre Apps oder von Ihnen eingesetzte Apps von Drittanbietern auf Sicherheit – kontaktieren<\/a> Sie uns f\u00fcr weitere Informationen!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Die Apps von Siemens dienen zur Steuerung von Industrieanlagen (das zu steuerndeSCADA-System WinCC \u00a0wird u.a. auch in Atomkraftwerken verwendet) – und wiesen einige Sicherheitsl\u00fccken auf: so konnte das Passwort welches beim Start der Apps abgefragt wurde aus dem Ger\u00e4t extrahiert werden, ebenfalls die Zugangsdaten zum\u00a0Sm@rtServer mit welchem die App verbindet: Vulnerability 1 (CVE-2014-5231) The existing … Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","rank_math_focus_keyword":"","rank_math_title":"","rank_math_description":"","rank_math_robots":null,"rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[35],"tags":[63,64,43,53,65,55],"class_list":["post-1609","post","type-post","status-publish","format-standard","hentry","category-allgemein","tag-industrie","tag-scada","tag-sicherheit-en","tag-sicherheitsluecke","tag-steuerung","tag-vulnerability"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"gform-image-choice-sm":false,"gform-image-choice-md":false,"gform-image-choice-lg":false},"uagb_author_info":{"display_name":"netsolution","author_link":"https:\/\/www.netsolution.ch\/en\/author\/netsolution\/"},"uagb_comment_info":0,"uagb_excerpt":"Die Apps von Siemens dienen zur Steuerung von Industrieanlagen (das zu steuerndeSCADA-System WinCC \u00a0wird u.a. auch in Atomkraftwerken verwendet) – und wiesen einige Sicherheitsl\u00fccken auf: so konnte das Passwort welches beim Start der Apps abgefragt wurde aus dem Ger\u00e4t extrahiert werden, ebenfalls die Zugangsdaten zum\u00a0Sm@rtServer mit welchem die App verbindet: Vulnerability 1 (CVE-2014-5231) The existing…","_links":{"self":[{"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/posts\/1609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/comments?post=1609"}],"version-history":[{"count":0,"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/posts\/1609\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/media?parent=1609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/categories?post=1609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netsolution.ch\/en\/wp-json\/wp\/v2\/tags?post=1609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}