Mitigation, Update for PLC Hole

Wednesday, October 10, 2012 @ 06:10 PM gHale

There are now mitigation details available for a vulnerability affecting the Siemens S7-1200 Web Application Module that has a cross-site scripting (XSS) vulnerability.

Positive Technologies discovered this remotely exploitable vulnerability and reported it directly to Siemens so the company provided mitigations and a firmware update to fix the hole, according to a report on ICS-CERT.

Sielco Sistemi Overwrite Vulnerability
Hotfix for DeltaV Vulnerability
Optimalog Closes Optima PLC Hole
Siemens has Fix for CA Vulnerability

Exploiting the vulnerability would allow an attacker to partially modify application data and limit the availability of the device. This vulnerability affects the electric, critical manufacturing, chemical, and food and beverage sectors.

Siemens reports that the vulnerabilities affect the following versions of S7-1200 Programmable Logic Controllers (PLCs).
• V2.x,
• V3.0.0, and
• V3.0.1.

An attacker that successfully exploits this vulnerability can run malicious JavaScript code on the target machine. Malicious code can execute various actions such as modify browser contents delivered from the PLC, steal session data, and issue commands from the PLC’s Web server.

Products in the Siemens SIMATIC S7-1200 PLC family work in the process control in industrial environments such as manufacturing, power generation and distribution, food and beverages, and chemical industries worldwide.

In the vulnerability, the Web application does not filter user input in a way that prevents cross-site scripting. If a user passes specially crafted, malicious input to the S7-1200 Web application via an HTTP request (e.g., by clicking on a malicious URL with embedded JavaScript), JavaScript code can return and undergo execution by the user’s browser. Various actions could trigger by running malicious JavaScript code, including modification of browser content delivered from the PLC; stealing data, such as session cookies; issuing commands in the guise of the user to the PLC’s Web server. CVE-2012-3040 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Siemens released a security advisory that details this vulnerability. It recommends users obtain the new updated firmware for Versions 3.0.0 and 3.0.1 of the S7-1200 by contacting Technical Support in their region.

Siemens also advises users who are unable to apply this firmware update to use the following mitigations.
• Disable JavaScript within the Web browser used to access the S7-1200 Web server.
• Utilize a modern Web browser with integrated XSS filtering mechanisms.
• Deactivate the S7-1200 Web server wherever possible.

For this version of firmware (3.0.2), Siemens has also removed the HTTP PUT functionality, because the S7-1200 Web server does not use it.

Leave a Reply

You must be logged in to post a comment.