Siemens has released firmware updates for some of its SIMATIC communications processors and controllers to address several medium-severity vulnerabilities discovered by researchers from various organizations.
The vendor disclosed the flaws in two advisories published on its website in the past few days. One of the advisories describes a couple of issues affecting SIMATIC S7-300 and S7-400 controllers, and SIMATIC CP 343-1 and CP 443-1 Advanced communication processors. The CP products are used to connect S7 devices to industrial Ethernet systems.
According to Siemens, the affected devices have an integrated web server on port 80/TCP or port 443/TCP, which allows a remote attacker to perform actions with the privileges of an authenticated user. The attack only works if the victim can be convinced to trigger a specially crafted request.
Another vulnerability is related to the web server delivering cookies without the “secure” flag. Browsers are designed to prevent the transmission of a cookie over an unencrypted channel if this flag is set. A similar issue was found recently in SCALANCE M-800 industrial routers and S615 firewalls.
These flaws have been discovered by Inverse Path auditors in collaboration with the Airbus ICT Industrial Security team. Siemens released firmware version 3.0.53 to patch the flaws in CP 343-1 products and provided mitigations for the other affected devices.
The second advisory published by Siemens describes two vulnerabilities affecting SIMATIC CP 1543-1 communications processors, which connect S7-1500 controllers to Ethernet networks. The CP is designed to protect S7-1500 stations against unauthorized access and it includes various security functions, including firewalls, VPNs and support for data encryption protocols.
The product has a flaw that allows an attacker with elevated privileges in the TIA Portal on the engineering workstation to obtain privileged access to affected devices. Siemens also warned customers of an issue that can be used to cause a denial-of-service (DoS) condition.
The flaws affect versions of the firmware prior to 2.0.28, which patches the issues. Siemens has credited SOGETI and France’s agence nationale de la sécurité des systèmes d’information (ANSSI) for reporting these security holes.