lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20161121170956.GE27255@core.inversepath.com>
Date: Mon, 21 Nov 2016 18:09:56 +0100
From: Andrea Barisani <andrea@...ersepath.com>
To: bugtraq@...urityfocus.com
Subject: Web vulnerabilities in Siemens S7-300/S7-400/CP343-1/CP443-1


The following vulnerabilities have been reported to Siemens CERT and are now
covered by by Siemens Security Advisory SSA-603476, published today
(2016-11-21) and available at the following URL:

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf

-- CVE-016-8672 ---------------------------------------------------------

Summary: Lack of cookie protection for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
                   SIMATIC CP 443-1 Advanced: All versions
                   SIMATIC S7-300 CPU family: All firmware versions
                   SIMATIC S7-400 CPU family: All firmware versions

Description:

The session cookie 'siemens_ad_session' is not protected by means of the
Secure or HttpOnly flags.

The Secure flag forces the transmission of a cookie only on HTTPS
connections, its omission results in man-in-the-middle (MITM) attacks being
capable of intercepting the cookie, by forcing its transmission on a plain
HTTP connection triggered for its domain.

The HttpOnly flag prevents client side scripts from accessing a cookie,
mitigating cross-site scripting (XSS) attacks.

The session cookie weaknesses, with particular reference to the lack of the
Secure flag, highlight the need for a forced encrypted connection to the
exposed web interface, in order to mitigate any hijacking of its credentials

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
        Security team

-- CVE-016-8673 ---------------------------------------------------------

Summary: Cross-site request forgery for management web interface.

Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53
                   SIMATIC CP 443-1 Advanced: All versions
                   SIMATIC S7-300 CPU family: All firmware versions
                   SIMATIC S7-400 CPU family: All firmware versions

Description:

The Cross-site request forgery (CSRF) class of attacks leverages on the trust
that a logged in user gives to HTML content of unrelated origins, by
triggering unauthorized commands via HTML links or scripts injected by the
attacker in the browser context.

The web management interface does not take advantage of any CSRF protection
mechanism. This omission allows unauthorized POST requests to be issued by
any JavaScript loaded in the user browser execution context, regardless of
their origin.

Given the fact that the affected products support POST requests, to upload
Access Control List (ACL) configuration or customer specific actions, the
lack of CSRF protection exposes the risk of unauthenticated management
actions.

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
        Security team

-------------------------------------------------------------------------

-- 
Andrea Barisani                             Inverse Path Srl
Chief Security Engineer                     -----> <--------

<andrea@...ersepath.com>          http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ