Siemens Stuxnet Patch Does Not Provide Sufficient Protection
The Siemens SIMATIC Security Update for protecting WinCC systems against Stuxnet infections doesn't close the actual hole in the SQL server configuration. It only prevents the known Stuxnet variants from working. As IT forensics expert Oliver Sucker demonstrates (German language link) in a video, only a few steps are required to bypass the protection and regain full remote access to a WinCC system,.
The issue is based around the hard-coded access data for the WinCC system's Microsoft SQL database. The Stuxnet worm uses this data to log into further systems from another infected system. There, it uses the integrated xp_cmdshell command shell to access the underlying Windows operating system at system privilege level from the database.
The SIMATIC update prevents the database from executing commands via xp_cmdshell by switching the pertaining configuration option from 1 to 0. According to Sucker, however, the privileges of the hard-coded WinCCAdmin database user are so comprehensive that an attacker can use a few trivial SQL commands to switch the setting back from 0 to 1 after logging in. This will re-enable the execution of commands via the command shell. Sucker has so far not disclosed the exact SQL commands required.
When asked by The H's associates at heise Security, Siemens refused to comment on the issue. Siemens spokesman Gerhard Stauss said in an email, "Our (latest) official statement to the effect that we are investigating ways of tightening authentication procedures remains in place". Until Siemens decides to improve its authentication by allowing the definition of custom access credentials, users can only hope that there will be no further Stuxnet variants or hacker attacks.