Full Report
Several SIMATIC S7-1500 and S7-1200 CPU versions are affected by an open redirect vulnerability that could allow an attacker to make the web server of affected devices redirect a legitimate user to an attacker-chosen URL. For a successful attack, the legitimate user must actively click on an attacker-crafted link. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Open Redirect in SIMATIC S7-1500 and S7-1200 CPU Web Servers
## CVE Details
- CVE ID: CVE-2024-46886
- CVSS Score: 4.7 (CVSS v3.1) / 5.1 (CVSS v4.0) (Low/Medium)
- CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
## Affected Systems
- Products:
- SIMATIC Drive Controller family (e.g., CPU 1504D TF, CPU 1507D TF)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (including SIPLUS variants, covering V2 and V3 CPUs with specific OS/Industrial OS)
- SIMATIC S7-1200 CPU V4 family (including SIPLUS variants, e.g., CPU 1211C)
- SIMATIC S7-1500 CPU (Various lines including hardware/software controllers, multiple versions listed in advisory)
- Versions: Specific versions below the listed fixed versions. Examples include:
- S7-1200 CPU 1211C: All versions < V4.7.0
- Drive Controller CPU 1504D TF / 1507D TF: All versions < V3.1.4
- ET 200SP Open Controller V2 CPUs (Windows OS): All versions < V21.9.8
- ET 200SP Open Controller V3 CPUs (Industrial/Windows OS): All versions < V31.1.4
- Configurations: Requires the web server functionality to be active on the affected devices.
## Vulnerability Description
The web server component of the affected SIMATIC CPUs does not correctly validate user-supplied input intended for URL redirection. This flaw, categorized as an Open Redirect (CWE-601), allows an attacker to craft a malicious link that, when clicked by a legitimate user accessing the device's web interface, causes the user's browser to be redirected to an arbitrary, attacker-chosen external URL.
## Exploitation
- Status: No indication of exploitation in the wild is provided; assumed unexploited publicly.
- Complexity: Low (AC:L, PR:N) - Requires no authentication and minimal complexity beyond crafting a link.
- Attack Vector: Network (AV:N)
- User Interaction: Required (UI:R/UI:A) - The legitimate user must actively click the attacker-crafted link.
## Impact
- Confidentiality: No Impact (N)
- Integrity: Low Impact (L) - Potential for phishing or session hijacking if the redirect leads to impersonation.
- Availability: No Impact (N)
## Remediation
### Patches
Siemens strongly recommends updating affected products to the latest versions available in the advisory. Specific fixes mentioned include:
* **SIMATIC Drive Controller CPU 1504D/1507D TF:** Update to V3.1.4 or later.
* **SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (V2/Windows):** Update to V21.9.8 or later.
* **SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (V3/Industrial/Windows OS):** Update to V31.1.4 or later.
* **SIMATIC S7-1200 CPU V4 family:** Update to V4.7.0 or later.
* *Note: Refer to the official security advisory for the complete, expanded list of fixed versions across all affected product lines, including S7-1500 CPUs and Software Controllers.*
### Workarounds
For products where fixes are not yet available, Siemens recommends specific countermeasures (Specific details for workarounds are noted in the vendor advisory for applicable products). A general countermeasure implied by the attack vector is mitigating user interaction with external links.
## Detection
- Indicators of Compromise: Monitoring for unusual outbound network traffic originating from a user's browser session immediately following access to the device's web interface.
- Detection Methods and Tools: Network monitoring tools may detect unexpected HTTP redirects initiated from the device management port. Firewalls or endpoint security solutions should monitor for redirects targeted at high-risk/known malicious external domains.
## References
- Vendor Advisories:
- SSA-876787: `https://cert-portal.siemens.com/productcert/html/ssa-876787.html`
- Siemens General ProductCERT Advisories: `https://www.siemens.com/cert/advisories`