exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery
Posted Nov 22, 2016
Authored by Andrea Barisani

Multiple versions of Siemens SIMATIC suffer from a cross site request forgery vulnerability and poor cookie security settings.

tags | advisory, csrf
advisories | CVE-2016-8672
SHA-256 | 26301c53dda7cca8354b059c0a9195478bf2208f7195cb4e264aa05d0d411026

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery

Change Mirror Download

The following vulnerabilities have been reported to Siemens CERT and are now
covered by by Siemens Security Advisory SSA-603476, published today
(2016-11-21) and available at the following URL:

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf

-- CVE-016-8672 ---------------------------------------------------------

Summary: Lack of cookie protection for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions

Description:

The session cookie 'siemens_ad_session' is not protected by means of the
Secure or HttpOnly flags.

The Secure flag forces the transmission of a cookie only on HTTPS
connections, its omission results in man-in-the-middle (MITM) attacks being
capable of intercepting the cookie, by forcing its transmission on a plain
HTTP connection triggered for its domain.

The HttpOnly flag prevents client side scripts from accessing a cookie,
mitigating cross-site scripting (XSS) attacks.

The session cookie weaknesses, with particular reference to the lack of the
Secure flag, highlight the need for a forced encrypted connection to the
exposed web interface, in order to mitigate any hijacking of its credentials

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team

-- CVE-016-8673 ---------------------------------------------------------

Summary: Cross-site request forgery for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions

Description:

The Cross-site request forgery (CSRF) class of attacks leverages on the trust
that a logged in user gives to HTML content of unrelated origins, by
triggering unauthorized commands via HTML links or scripts injected by the
attacker in the browser context.

The web management interface does not take advantage of any CSRF protection
mechanism. This omission allows unauthorized POST requests to be issued by
any JavaScript loaded in the user browser execution context, regardless of
their origin.

Given the fact that the affected products support POST requests, to upload
Access Control List (ACL) configuration or customer specific actions, the
lack of CSRF protection exposes the risk of unauthenticated management
actions.

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team

-------------------------------------------------------------------------

--
Andrea Barisani Inverse Path Srl
Chief Security Engineer -----> <--------

<andrea@inversepath.com> http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close