Siemens Simatic HMI Authentication Vulnerabilities

CVSS 10.0 CRITICAL

CVEs (2)

CVE-2011-4509 CVE-2011-4508

The authentication token generation vulnerability will be addressed by Siemens in its “SIMATIC WinCC V11.0 SP 2 Update 1,” which is to be released on January 13, 2012 or “SIMATIC WinCC flexible 2008 SP3” which is to be released on January 18, 2012.
Product documentation has been updated to tell the user how to set a proper password during initial setup to remove the risk of the default password vulnerability.
Siemens has published a statement on their Industrial Security web pages that addresses these issues. (http://www.siemens.com/industrialsecurity)

Siemens

Siemens · SIMATIC WinCC flexible RT 2004|2005|2005|SP1|2007|2008|2008|SP1|2008|SP2

Siemens · SIMATIC WinCC Runtime Advanced 11|11|SP1|11|SP2

Siemens · Multiple SIMATIC Panels TP_OP_MP_Mobile_and_Comfort

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.