Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Siemens TIA Portal Denial of Service

High

Synopsis

An unauthenticated remote DoS vulnerability exists in CCAgent.exe shipped with Siemens TIA Portal 15.1 Update 3 when encryption is enabled.

Specifically, an integer overflow can be triggered if an attacker were to send a crafted datagram over UDP port 8910.

.text:0041266C           mov     eax, [ebp+pTeleBuf2]
.text:0041266F           movzx   ecx, [eax+CTeleBuffer2.HdrSize] ; seen: 20h, 64h
.text:00412673           mov     edx, [ebp+pTeleBuf2]
.text:00412676           add     ecx, [edx+CTeleBuffer2.BodySize] ; aka, compressed size (cs)
.text:00412679           cmp     [ebp+arg_MsgSize], ecx ; check if (HdrSize + BodySize) == MsgSize
.text:00412679                                         ; but (HdrSize + BodySize) can cause int32 overflow
.text:0041267C           jz      short ok

The code checks if the sum of the message header size and body size is equal to the size of the message received from the network. If it's not equal, it's considered an error and the message will not get processed. However, the attacker can specify the message header size and body size in the message. For example, the attacker can specify HdrSize = 0x74 and BodySize = 0xffffffff in a 0x73-byte message. The size check will pass and the malformed message will get processed further. Eventually, 0xffffffff bytes of body data will be copied to a heap buffer via memcpy_s() if no compression type is specified in the message:

.text:004124BF no_compression:                         ; CODE XREF: TeleBuf2_DecryptAndUncompress+9C↑j
.text:004124BF           mov     eax, [ebp+TeleBuf2]
.text:004124C2           mov     ecx, [eax+CTeleBuffer2.BodySize] ; aka, compressed size (cs)
.text:004124C5           push    ecx
.text:004124C6           mov     edx, [ebp+pBody]
.text:004124C9           push    edx
.text:004124CA           mov     eax, [ebp+TeleBuf2]
.text:004124CD           mov     ecx, [eax+CTeleBuffer2.UncompressedSize] ; in: max len;
.text:004124CD                                         ; out: decompressed len
.text:004124CD                                         ; seen: 0003e800
.text:004124D0           push    ecx                   ; size_t
.text:004124D1           mov     edx, [ebp+pUncompressed]
.text:004124D4           push    edx                   ; void *
.text:004124D5           call    memcpy_s

The memcpy_s function will raise an exception if the copy size (0xffffffff) exceeds the output buffer size. The exception does not appear to be handled thus the CCAgent.exe process gets terminated:

0:003> g
(dac.10cc): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=6d6c1480 esi=00000000 edi=0078b738
eip=74ec72b2 esp=011df680 ebp=011df6b0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ucrtbase!_invoke_watson+0x12:
74ec72b2 cd29            int     29h
0:002> kb
 # ChildEBP RetAddr  Args to Child              
00 011df680 74ec719e 00000000 00000000 00000000 ucrtbase!_invoke_watson+0x12
01 011df6b0 74ec726b 00000001 0045b860 0078b738 ucrtbase!_invalid_parameter+0x75
02 011df6c4 00411b56 00000000 00000001 00000001 ucrtbase!_invalid_parameter_noinfo+0xb
WARNING: Stack unwind information not available. Following frames may be wrong.
03 011df6e4 004124da 007c0d40 00001000 007b254c CCAgent+0x11b56
04 011df728 0044559d 007b24d8 00000073 011df7d4 CCAgent+0x124da
05 011dfc00 0045bfa7 007b24d8 00000073 651c1aac CCAgent+0x4559d
06 011dfcd8 0045b8d4 00001a61 00000001 00000001 CCAgent+0x5bfa7
07 011dfcf4 77cbd313 003000a6 00001a61 000003fc CCAgent+0x5b8d4
08 011dfd20 77c9e8da 0045b860 003000a6 00001a61 USER32!_InternalCallWinProc+0x2b
09 011dfe08 77c9e234 0045b860 00000000 00001a61 USER32!UserCallWinProcCheckWow+0x30a
0a 011dfe7c 77c9dfe0 011dfe98 011dff04 0042eb35 USER32!DispatchMessageWorker+0x234
0b 011dfe88 0042eb35 011dfe98 038c32b7 003000a6 USER32!DispatchMessageW+0x10
0c 011dff04 0043d948 00000000 00000000 00000000 CCAgent+0x2eb35
0d 011dff54 0042ee85 00000001 0077cc58 011dff80 CCAgent+0x3d948
0e 011dff64 74947ee1 00000001 0077cc58 74947eb0 CCAgent+0x2ee85
0f 011dff80 77ab62c4 0077cc48 77ab62a0 74704f8a sechost!ScSvcctrlThreadA+0x31
10 011dff94 77e91f69 0077cc48 74310134 00000000 KERNEL32!BaseThreadInitThunk+0x24
11 011dffdc 77e91f34 ffffffff 77eb3625 00000000 ntdll!__RtlUserThreadStart+0x2f
12 011dffec 00000000 74947eb0 0077cc48 00000000 ntdll!_RtlUserThreadStart+0x1b

Proof of Concept

See our github poc repo

Note: It has been observed that the CCAgent Windows service (CCAgent.exe) restarts (after some period of time) upon termination.

Solution

Siemens has provided specific remediation guidance on a per-product basis. Please see SSA-270778 for details.

Disclosure Timeline

11/19/2019 - Vulnerability discovered
11/19/2019 - Vulnerability reported to vendor (90 day date is 2/19/2020)
11/22/2019 - Vendor acknowledges report and asks for our PGP key
11/22/2019 - Tenable sends our PGP key
11/22/2019 - Siemens asks for a PoC.
11/22/2019 - Tenable sends the PoC.
11/25/2019 - Vendor informs us they are able to reproduce vulnerability.
12/06/2019 - Siemens has identified a root cause and is working on a fix. Feb 11 expected release.
02/18/2020 - Vendor informs issue was patched on Feb 11. Advisory SSA-270778 was published.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.