Full Report
Several SIMATIC S7-1500 CPU versions are affected by an authentication bypass vulnerability that could allow an unauthenticated remote attacker to gain knowledge about actual and configured maximum cycle times and communication load of the CPU. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Unauthenticated Information Disclosure in SIMATIC S7-1500 Web Server
## CVE Details
- **CVE ID:** CVE-2024-46887
- **CVSS Score:**
- CVSS v4.0: 6.9 (Medium)
- CVSS v3.1: 5.3 (Medium)
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
## Affected Systems
- **Products:**
- SIMATIC S7-1500 CPU family (including ET 200 CPUs and SIPLUS variants)
- SIMATIC Drive Controller family (CPU 1504D TF, 1507D TF)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (V2 and V3 CPUs)
- SIMATIC S7-1500 Software Controller
- SIMATIC S7-PLCSIM Advanced
- **Versions:**
- Firmware V2.x: Typically all versions < V2.9.8 (Check specific model for exact version)
- Firmware V3.x: Typically all versions < V3.1.4
- Drive Controllers: All versions < V3.1.4
- Open Controller PC2: Windows OS < V21.9.8 (V2) or < V31.1.4 (V3); Industrial OS < V31.1.4
- **Configurations:** Systems with the integrated Web Server enabled.
## Vulnerability Description
The web server component of affected SIMATIC devices fails to properly authenticate user requests directed at the `/ClientArea/RuntimeInfoData.mwsl` endpoint. This allows an attacker to bypass standard authentication mechanisms to access sensitive diagnostic data.
## Exploitation
- **Status:** PoC availability not explicitly mentioned in advisory; no reports of exploitation in the wild at time of publication.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (disclosure of cycle times and communication load data).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens has released several firmware updates to address this flaw:
- **S7-1500 V3 CPUs:** Update to V3.1.4 or later.
- **S7-1500 V2 CPUs:** Update to V2.9.8 or later.
- **Drive Controllers:** Update to V3.1.4 or later.
- **Open Controller PC2:** Update to V21.9.8 (V2 CPUs) or V31.1.4 (V3 CPUs).
- **S7-PLCSIM Advanced:** Update to V6.0 SP1 or later.
### Workarounds
If patching is not immediately possible, Siemens recommends:
- Disable the Web Server if it is not required for operation.
- Implement "Defense in Depth" by limiting network access to the PLC's web interface (Port 443/80) to trusted administrative workstations only.
## Detection
- **Indicators of Compromise:** Unusual or unauthorized GET requests to the URI path `/ClientArea/RuntimeInfoData.mwsl` originating from unauthenticated IP addresses.
- **Detection methods and tools:** Monitoring of network traffic via IDS/IPS and auditing Web Server access logs (where available) for the specific endpoint mentioned.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-054046[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Firmware Downloads:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109478459/