Full Report
The most serious of the vulnerabilities could allow arbitrary files to be downloaded from the device
Analysis Summary
Based on the Siemens SIMATIC operator panel security advisory, here is the summarized vulnerability information.
# Vulnerability: Arbitrary File Download and XSS in Siemens SIMATIC Panels
## CVE Details
- **CVE ID:** CVE-2018-13814 (High), CVE-2018-13816 (Medium)
- **CVSS Score:** 7.5 (High) / 5.3 (Medium)
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:** Siemens SIMATIC HMI Comfort Panels, SIMATIC HMI Mobile Panels, and SIMATIC WinCC Runtime Advanced.
- **Versions:** All versions prior to v15 Update 4.
- **Configurations:** Systems where the integrated web server is enabled.
## Vulnerability Description
The most critical flaw (CVE-2018-13814) is a directory traversal vulnerability within the integrated web server of the affected devices. A remote, unauthenticated attacker can send specially crafted HTTP requests to the web server to access and download files outside of the intended web root directory. This allows for the unauthorized retrieval of sensitive configuration files and system data.
The second flaw (CVE-2018-13816) is a Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject malicious scripts into the web interface, which are then executed in the context of a victim’s browser session.
## Exploitation
- **Status:** PoC available (detailed in various security research papers).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Arbitrary file read/download)
- **Integrity:** Low (Script injection via XSS)
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating the affected software to the following versions or newer:
- **SIMATIC WinCC (TIA Portal):** Update to v15 Update 4 or v15.1.
- **SIMATIC HMI Panels:** Firmware should be updated via the TIA Portal to the latest version corresponding to the v15 Update 4 release.
### Workarounds
- **Disable Web Server:** If the web server functionality is not required for operations, disable it in the device settings.
- **Access Control:** Restrict access to the web server port (default TCP 80/443) to trusted IP addresses only using an external firewall.
## Detection
- **Indicators of Compromise:** Unusual HTTP GET requests containing directory traversal sequences (e.g., `..%2f`, `..%5c`, or `/../`) in web server access logs.
- **Detection Methods and Tools:** Use Intrusion Detection Systems (IDS) with signatures for directory traversal and XSS. Security scanners can be used to audit the web server version.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-220035[.]pdf
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/11/16/web-vulnerabilities-in-siemens-simatic-operator-panels/
- **NIST NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-13814