Siemens ProcessSuite and Invensys Intouch Poorly Encrypted Password File

Low RiskICS-CERT ICSA-12-348-01Sep 16, 2012

Summary

Siemens ProcessSuite and Invensys Wonderware InTouch store passwords using weak encryption in files that may be accessible to attackers with local or network access to the engineering workstation. An attacker who obtains the password file can decrypt the stored credentials and use them to access the SCADA application configuration and operational controls.

What this means

What could happen

An attacker with access to the password file could extract credentials used to configure your SCADA system, allowing them to modify process logic or gain unauthorized control of control system operations.

Who's at risk

Engineering and operations teams using Siemens ProcessSuite (all versions) or Invensys Wonderware InTouch 2012 R2 and earlier for configuring and operating SCADA systems in water, electric, gas, and manufacturing facilities should be aware of this risk affecting their system engineering and authentication infrastructure.

How it could be exploited

An attacker would need to obtain the password file from the affected system (either through network access if the file is stored on a networked drive, or through local access if they have compromised the workstation). Once obtained, they can decrypt the stored passwords using weak encryption algorithms, then use those credentials to access and modify the SCADA application.

Prerequisites

Access to the password file on the affected system (local or network-accessible)
No special tools required; weak encryption can be broken with readily available methods

Weak encryption algorithmNo patch availableCredential exposure riskNo authentication required for file access

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Siemens ProcessSuite: vers:all/*All versionsNo fix (EOL)

Invensys Wonderware InTouch 2012: <=R2≤ R2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict file system access to password files on ProcessSuite and InTouch systems using Windows NTFS permissions to only authorized engineering and administrative accounts

HARDENINGDisable remote access to workstations running ProcessSuite or InTouch unless absolutely required; if required, use VPN with multi-factor authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGAudit and rotate all passwords managed by ProcessSuite and InTouch systems

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Siemens ProcessSuite: vers:all/*, Invensys Wonderware InTouch 2012: <=R2. Apply the following compensating controls:

HARDENINGStore password files on systems not directly accessible from the control network; segregate engineering workstations from operational network using air-gap or strict firewall rules

CVEs (1)

CVE-2012-4693

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6cd14f06-96ed-4319-81a9-7dd2ebf8fa8c