This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects attempts to exploit a vulnerability in Siemens SIMATIC WinCC SCADA which may result in remote code execution.
Siemens SIMATIC WinCC And PCS 7 are prone to the following security vulnerabilities:
1. An information-disclosure vulnerability occurs because application fails to properly restrict user access to the embedded MS SQL database. Specifically, this issue occurs because the WinCC stores user passwords for WebNavigator in an MS SQL database. Attackers can exploit this issue to gain knowledge of otherwise restricted password fields. CVE-2013-0678
2. An information-disclosure vulnerability occurs because application provides too many rights to several users in the database. Attackers can exploit this issue to gain knowledge of password fields. CVE-2013-0676
3. A directory-traversal vulnerability occurs because it returns sensitive data if certain file names and paths are queried. This issue can be exploited by sending a specially crafted URI request containing directory-traversal sequences. CVE-2013-0679
4. A remote buffer-overflow vulnerability occurs in 'RegReader' ActiveX control. Specifically, this issue occurs because it does not properly bounds check the length of the parameters. due to an unspecified error in the CVE-2013-0674
5. An information-disclosure vulnerability occurs because it allows parsing of project files insecurely. Attackers can exploit his issue by tricking a user into opening a specially crafted project file. CVE-2013-0677
6. A remote buffer-overflow vulnerability occurs due to an error when handling certain network packets in the WinCC central communications component ('CCEServer'). Attackers can exploit this issue using specially crafted packets. CVE-2013-0675
Note: Successful exploit of issues #1, #2 and #3 requires authentication.
An attacker can exploit these issues to gain access to sensitive information, arbitrary system files, and execute arbitrary code in the context of the application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service conditions.
- Versions prior to Siemens SIMATIC WinCC 7.2 and Siemens SIMATIC PCS 7 8.0 SP1 are vulnerable.