exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery
Posted Nov 22, 2016
Authored by Andrea Barisani

Multiple versions of Siemens SIMATIC suffer from a cross site request forgery vulnerability and poor cookie security settings.

tags | advisory, csrf
advisories | CVE-2016-8672
SHA-256 | 26301c53dda7cca8354b059c0a9195478bf2208f7195cb4e264aa05d0d411026

Siemens SIMATIC Cookie Settings / Cross Site Request Forgery

Change Mirror Download

The following vulnerabilities have been reported to Siemens CERT and are now
covered by by Siemens Security Advisory SSA-603476, published today
(2016-11-21) and available at the following URL:

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf

-- CVE-016-8672 ---------------------------------------------------------

Summary: Lack of cookie protection for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions

Description:

The session cookie 'siemens_ad_session' is not protected by means of the
Secure or HttpOnly flags.

The Secure flag forces the transmission of a cookie only on HTTPS
connections, its omission results in man-in-the-middle (MITM) attacks being
capable of intercepting the cookie, by forcing its transmission on a plain
HTTP connection triggered for its domain.

The HttpOnly flag prevents client side scripts from accessing a cookie,
mitigating cross-site scripting (XSS) attacks.

The session cookie weaknesses, with particular reference to the lack of the
Secure flag, highlight the need for a forced encrypted connection to the
exposed web interface, in order to mitigate any hijacking of its credentials

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team

-- CVE-016-8673 ---------------------------------------------------------

Summary: Cross-site request forgery for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
SIMATIC CP 443-1 Advanced: All versions
SIMATIC S7-300 CPU family: All firmware versions
SIMATIC S7-400 CPU family: All firmware versions

Description:

The Cross-site request forgery (CSRF) class of attacks leverages on the trust
that a logged in user gives to HTML content of unrelated origins, by
triggering unauthorized commands via HTML links or scripts injected by the
attacker in the browser context.

The web management interface does not take advantage of any CSRF protection
mechanism. This omission allows unauthorized POST requests to be issued by
any JavaScript loaded in the user browser execution context, regardless of
their origin.

Given the fact that the affected products support POST requests, to upload
Access Control List (ACL) configuration or customer specific actions, the
lack of CSRF protection exposes the risk of unauthenticated management
actions.

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
Security team

-------------------------------------------------------------------------

--
Andrea Barisani Inverse Path Srl
Chief Security Engineer -----> <--------

<andrea@inversepath.com> http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close