The following vulnerabilities have been reported to Siemens CERT and are now covered by by Siemens Security Advisory SSA-603476, published today (2016-11-21) and available at the following URL: http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf -- CVE-016-8672 --------------------------------------------------------- Summary: Lack of cookie protection for management web interface. Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53 SIMATIC CP 443-1 Advanced: All versions SIMATIC S7-300 CPU family: All firmware versions SIMATIC S7-400 CPU family: All firmware versions Description: The session cookie 'siemens_ad_session' is not protected by means of the Secure or HttpOnly flags. The Secure flag forces the transmission of a cookie only on HTTPS connections, its omission results in man-in-the-middle (MITM) attacks being capable of intercepting the cookie, by forcing its transmission on a plain HTTP connection triggered for its domain. The HttpOnly flag prevents client side scripts from accessing a cookie, mitigating cross-site scripting (XSS) attacks. The session cookie weaknesses, with particular reference to the lack of the Secure flag, highlight the need for a forced encrypted connection to the exposed web interface, in order to mitigate any hijacking of its credentials Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial Security team -- CVE-016-8673 --------------------------------------------------------- Summary: Cross-site request forgery for management web interface. Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53 SIMATIC CP 443-1 Advanced: All versions SIMATIC S7-300 CPU family: All firmware versions SIMATIC S7-400 CPU family: All firmware versions Description: The Cross-site request forgery (CSRF) class of attacks leverages on the trust that a logged in user gives to HTML content of unrelated origins, by triggering unauthorized commands via HTML links or scripts injected by the attacker in the browser context. The web management interface does not take advantage of any CSRF protection mechanism. This omission allows unauthorized POST requests to be issued by any JavaScript loaded in the user browser execution context, regardless of their origin. Given the fact that the affected products support POST requests, to upload Access Control List (ACL) configuration or customer specific actions, the lack of CSRF protection exposes the risk of unauthenticated management actions. Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial Security team ------------------------------------------------------------------------- -- Andrea Barisani Inverse Path Srl Chief Security Engineer -----> <-------- <andrea@xxxxxxxxxxxxxxx> http://www.inversepath.com 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"