Full Report
SIMATIC CP 343-1 Advanced/CP-443-1 Advanced devices and SIMATIC S7-300/S7-400 CPUs are affected by two vulnerabilities. One of the vulnerabilities could allow remote attackers to perform operations as an authenticated user under certain conditions. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Web Vulnerabilities in SIMATIC NET CP and S7-300/400 CPUs
## CVE Details
**Vulnerability 1**
- **CVE ID:** CVE-2016-8673
- **CVSS Score:** 6.3 (Medium)
- **CWE:** CWE-345: Insufficient Verification of Data Authenticity
**Vulnerability 2**
- **CVE ID:** CVE-2016-8672
- **CVSS Score:** 4.0 (Medium)
- **CWE:** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
## Affected Systems
- **Products:**
- SIMATIC CP 343-1 Advanced (including SIPLUS variants)
- SIMATIC CP 443-1 Advanced (including SIPLUS variants)
- SIMATIC S7-300 CPU family (including related ET200 CPUs and SIPLUS variants)
- SIMATIC S7-400 PN/DP CPU family (including SIPLUS variants)
- **Versions:**
- CP 343-1: All versions < V3.0.53
- CP 443-1: All versions < V3.2.17
- S7-300 CPU: All versions < V3.X.18
- S7-400 PN/DP: All versions
- **Configurations:** Systems with the integrated web server enabled (Ports 80/TCP or 443/TCP).
## Vulnerability Description
The affected devices contain two distinct web-based flaws:
1. **Request Forgery/Unauthorized Actions (CVE-2016-8673):** The web server does not sufficiently verify the authenticity of data. If an authenticated user is induced into triggering a malicious request while having an active session, a remote attacker can perform operations with that user's permissions.
2. **Missing Secure Flag (CVE-2016-8672):** The integrated web server issues cookies without the "secure" attribute. In instances of clear-text transmission, this could allow for data leakage that modern browsers would otherwise prevent if the flag were present.
## Exploitation
- **Status:** PoC available (Note: CVSS exploitability code "E:P" indicates Proof-of-Concept).
- **Complexity:**
- CVE-2016-8673: Low
- CVE-2016-8672: High
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Potential session cookie or data leakage)
- **Integrity:** Low (Unauthorized operations as an authenticated user)
- **Availability:** Low (Potential to trigger actions affecting device state)
## Remediation
### Patches
Siemens recommends upgrading to the following versions:
- **SIMATIC CP 343-1 Advanced:** Update to V3.0.53 or later.
- **SIMATIC CP 443-1 Advanced:** Update to V3.2.17 or later.
- **SIMATIC S7-300 CPU:** Update to V3.X.18 or later.
- **SIMATIC S7-400 PN/DP:** **No fix is currently planned.** Users must rely on workarounds.
### Workarounds
- **Deactivate Web Server:** Disable the web server functionality if not required for operations.
- **Secure Network Access:** Protect network access to devices using industry-standard mechanisms (e.g., firewalls, VPNs).
- **Environmental Shielding:** Operate devices strictly within protected IT/OT environments according to Siemens’ operational guidelines.
## Detection
- **Indicators of Compromise:** Unusual administrative actions or configuration changes originating from unexpected IP addresses but associated with valid user sessions.
- **Detection Methods:** Monitor traffic on 80/TCP and 443/TCP for suspicious cross-site requests or unauthorized session activity.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens.com/productcert/pdf/ssa-603476.pdf
- **Siemens Industrial Security:** hxxps://www.siemens.com/industrialsecurity
- **Operational Guidelines:** hxxps://www.siemens.com/cert/operational-guidelines-industrial-security