Full Report
The webserver of several SIMATIC products is affected by a user enumeration vulnerability that could allow an unauthenticated remote attacker to identify valid usernames. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: User Enumeration in SIMATIC Webserver
## CVE Details
- **CVE ID:** CVE-2023-37482
- **CVSS Score:** 5.3 (Medium) [v3.1] / 6.9 (Medium) [v4.0]
- **CWE:** CWE-203: Observable Discrepancy
## Affected Systems
- **Products:**
- SIMATIC Drive Controller family (including CPU 1504D TF and CPU 1507D TF)
- SIMATIC S7-1500 CPU family
- SIMATIC S7-1200 CPU family
- SIMATIC ET 200SP Open Controller
- SIMATIC S7-1500 Software Controller
- SIMATIC S7-PLCSIM Advanced
- SIPLUS extreme products (based on the hardware above)
- **Versions:**
- SIMATIC Drive Controller: All versions < V3.1.2
- SIMATIC S7-1500 Software Controller V3: All versions < V30.1.0
- SIMATIC S7-1500: All versions < V3.1.2
- SIMATIC S7-1200: Versions V4.0 to < V4.7
- SIMATIC S7-PLCSIM Advanced: All versions >= V6.0 < V7.0
- **Configurations:** The vulnerability is specifically exploitable when the Webserver is enabled and accessible via **unencrypted HTTP (port 80/tcp)**.
## Vulnerability Description
A side-channel vulnerability exists in the login functionality of the integrated webserver. The server fails to normalize response times during authentication attempts. Because the system takes different amounts of time to process a login request for a valid username versus an invalid one, an unauthenticated remote attacker can use timing analysis (response time discrepancies) to identify valid usernames on the system.
## Exploitation
- **Status:** Not exploited (No known reports of exploitation in the wild at time of advisory).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low (Information disclosure of valid usernames).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens has released several firmware updates to address this flaw. Key updates include:
- **SIMATIC Drive Controller:** Update to V3.1.2 or later.
- **SIMATIC S7-1500 CPU family:** Update to V3.1.2 or later.
- **SIMATIC S7-1500 Software Controller V3:** Update to V30.1.0 or later.
- **SIMATIC S7-PLCSIM Advanced:** Update to V7.0 or later.
- **SIMATIC S7-1200 CPU family:** Update to V4.7 or later.
### Workarounds
- **Disable HTTP:** The vulnerability is considered exploitable only via HTTP. Disable Port 80/tcp and ensure web services are accessed exclusively via HTTPS (Port 443/tcp).
- **Default Status:** Note that the webserver is deactivated by default in these products. If not required for operations, keep the webserver disabled.
## Detection
- **Indicators of Compromise:** Unusual volumes of rapid, failed login attempts from a single source aimed at testing common or specific usernames.
- **Detection Methods:** Monitor network traffic for HTTP (Port 80) access to industrial controllers; utilize Intrusion Detection Systems (IDS) to flag automated credential probing or timing-based scanning patterns.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-195895[.]pdf
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Product Support:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109773914/