16 November 2018
Web vulnerabilities in Siemens SIMATIC operator panels
Serious vulnerabilities have been identified in SIMATIC operator panels manufactured by Siemens. Successful exploitation of these vulnerabilities could allow arbitrary files to be downloaded from the device, or allow URL redirection to untrusted websites.
The vulnerabilities affect all versions of SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel), as well as all versions of the following products prior to v15 Update 4:
- SIMATIC HMI Comfort Panels 4”-22”;
- SIMATIC HMI Comfort Outdoor Panels 7” & 15;
- SIMATIC HMI KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900 и KTP900F);
- SIMATIC WinCC Runtime Advanced;
- SIMATIC WinCC Runtime Professional;
- SIMATIC WinCC (TIA Portal).
The most serious of the flaws is a path traversal vulnerability, CVE-2018-13812, which has been assigned a CVSS v.3 base score of 7.5. The vulnerability, which could allow arbitrary files to be downloaded from the device, could be exploited by an attacker with network access to the integrated web server.
The second issue is an open redirect vulnerability, CVE-2018-13813. The webserver of affected HMI devices may allow URL redirections to untrusted websites. To exploit the vulnerability, an attacker must trick a valid user who is authenticated to the device into clicking on a malicious link. A CVSS v.3 base score of 6.5 has been calculated for this vulnerability.
The devices listed above (all versions prior to v14) are also affected by a code injection vulnerability, CVE-2018-13814. The integrated web server (Port 80/TCP and Port 443/TCP) of the affected devices could allow an attacker to inject HTTP headers. To exploit the vulnerability, an attacker must trick a valid user who is authenticated to the device into clicking on a malicious link.
To fix these vulnerabilities, the devices should be updated to the latest version (v15 Update 4 or later). Additionally, to reduce the risk of vulnerability exploitation Siemens recommends restricting network access to the integrated web server and deactivating the web server if it is not required (the web server is disabled by default).