The following issue has been reported to Siemens ProductCERT in relation to Siemens Security Advisory SSA-603476, published on 2016-11-21. The issue has been treated with lower priority and treated outside the scope of SSA-603476 due to its lower security impact. As the finding is now addressed [1] the following details are published. ------------------------------------------------------------------------------ Summary: Inconsistency of IKEv1 cipher suite configuration Tested product: Siemens SIMATIC CP 343-1 Advanced (tested with fw V3.0.44) [note: other SIMATIC family products may be affected] Description: In the establishment of IPSec tunnels, the Internet Key Exchange (IKE) protocol allows to setup the Security Association (SA) necessary to exchange encryption cipher information and the session shared secret, with mutual authentication of the two parties. The SIMATIC CP 343-1 Advanced product allows configuration of the IKEv1 cipher suite configuration, which specifies the IKE and Encapsulating Security Payload (ESP) supported algorithms, with one cipher for each setting. It is evaluated that the configuration is not consistent with the supported ciphers that are eventually applied on the IPSec responder of the SIMATIC CP 343-1 Advanced. In fact, regardless of the selected choice for the ESP cipher, it is always possible for the IPSec client to propose, and successfully use, DES, 3DES, AES128 and AES256. This invalidates the potential desire to enforce a stronger cipher, as the client can always decide to use weaker ones. It should be noted that the NULL ESP cipher is also accepted when establishing the SA, however its usage leads to no response packets from the tunnel. It is speculated that the NULL cipher is forcibly disabled with a different code flow than normal unsupported cipher handling. Similarly the IKE cipher suite only supports 3DES (with SHA1 HMAC), regardless of its configuration on the SIMATIC CP 343-1 Advanced. Despite the possibility of IPSec tunnel establishment with cipher suites not compliant with the SIMATIC CP 343-1 Advanced intended configuration, the selection of weaker ciphers can only be driven by a mutually authenticated client, limiting the impact of the issue. It is nonetheless recommended to ensure a strong and correct IPSec client configuration, when leveraging the SIMATIC CP 343-1 Advanced VPN features. CVE: N/A Mitigation: Siemens ProductCERT reported on 2016-01-02 that the issue has been addressed with release of SCT V4.3 HF [1] Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial Security team [1] https://support.industry.siemens.com/cs/ww/en/view/109744041 ------------------------------------------------------------------------------ -- Andrea Barisani Inverse Path Srl Chief Security Engineer -----> <-------- http://www.inversepath.com 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"