24 Jul 2012

Siemens Fixes Software Bugs Used by Stuxnet against Iran


German company Siemens announced it has patched two vulnerabilities in its industrial control software. These seem to be the same software bugs used by the infamous Stuxnet to sabotage Iran’s nuclear program.

According to the first Siemens security advisory, the bug in STEP7 was initially discovered and sent for analysis in 2010. The audit revealed that it supported “the loading of DLL files in STEP7 project folders, which can be used within an attack against systems where STEP7 is installed”. 

This way an attacker could easily store arbitrary, unauthorized, malicious library files in those project files that will be loaded “on Step7 at start-up without validation," the security advisory says. And if the project folder is shared in a network, the illegal library file as well will be able to travel within the network.

In its second advisory, Siemens explains how the vulnerability in older versions of SIMATIC Win CC could allow “remote access to the database server with administrative privileges” because these versions used “pre-defined SQL server credentials”.

Stuxnet used these techniques to subvert industrial control software and force these applications to control industrial hardware in improper ways, leading to the destruction of about 1,000 centrifuges. The IR-1 centrifuges were taken out of service as industrial control software affected by Stuxnet increased the motor speed to 1,064 cycles per second.

Although antivirus software solutions detected Stuxnet, mission-critical facilities rely on network isolation and severely enforced computer usage policies to keep their networks clean of viruses. This, along with other vulnerabilities, allowed Stuxnet to propagate at will inside the Iranian networks.

Siemens advises all SIMATIC PCS7 and SIMATIC WinCC users to use the software updates described in the advisories to fix the software vulnerabilities as soon as possible. It recommends that customers install the latest Service Pack, V5.5 SP2 [1].