The following vulnerabilities have been reported to Siemens CERT and are now
covered by by Siemens Security Advisory SSA-603476, published today
(2016-11-21) and available at the following URL:
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf
-- CVE-016-8672 ---------------------------------------------------------
Summary: Lack of cookie protection for management web interface.
Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions
Description:
The session cookie 'siemens_ad_session' is not protected by means of the
Secure or HttpOnly flags.
The Secure flag forces the transmission of a cookie only on HTTPS
connections, its omission results in man-in-the-middle (MITM) attacks being
capable of intercepting the cookie, by forcing its transmission on a plain
HTTP connection triggered for its domain.
The HttpOnly flag prevents client side scripts from accessing a cookie,
mitigating cross-site scripting (XSS) attacks.
The session cookie weaknesses, with particular reference to the lack of the
Secure flag, highlight the need for a forced encrypted connection to the
exposed web interface, in order to mitigate any hijacking of its credentials
Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team
-- CVE-016-8673 ---------------------------------------------------------
Summary: Cross-site request forgery for management web interface.
Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions
Description:
The Cross-site request forgery (CSRF) class of attacks leverages on the trust
that a logged in user gives to HTML content of unrelated origins, by
triggering unauthorized commands via HTML links or scripts injected by the
attacker in the browser context.
The web management interface does not take advantage of any CSRF protection
mechanism. This omission allows unauthorized POST requests to be issued by
any JavaScript loaded in the user browser execution context, regardless of
their origin.
Given the fact that the affected products support POST requests, to upload
Access Control List (ACL) configuration or customer specific actions, the
lack of CSRF protection exposes the risk of unauthenticated management
actions.
Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team
-------------------------------------------------------------------------
--
Andrea Barisani Inverse Path Srl
Chief Security Engineer -----> <--------
<andrea@inversepath.com> http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"