ID

VAR-201611-0018


CVE

CVE-2016-8672


TITLE

SIMATIC S7-300/S7-400 CPU family Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: 72bae294-54fe-4905-a053-bff375973da9 // CNVD: CNVD-2016-11664

DESCRIPTION

A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) (All versions). The integrated web server delivers cookies without the "secure" flag. Modern browsers interpreting the flag would mitigate potential data leakage in case of clear text transmission. plural Siemens SIMATIC Product integration Web The server https Session unspecified Cookie Against secure Because the flag is not set, Cookie There is a vulnerability that will be captured.By a remote attacker, http By intercepting transmissions within a session, Cookie May be captured. SiemensSIMATICS7-300/S7-400CPUfamilies are used to provide discrete and continuous control in industrial environments such as manufacturing, food and beverage, and the global chemical industry. An information disclosure vulnerability exists in the SIMATICS7-300/S7-400CPUfamily. Attackers exploit vulnerabilities to obtain sensitive information. Multiple Siemens Products are prone to a cross-site request-forgery vulnerability and an information-disclosure vulnerability. Other attacks are also possible. Siemens SIMATIC CP 343-1 Advanced and so on are the Ethernet communication modules used by German Siemens to support PROFINET (a new generation of automation bus standard based on industrial Ethernet technology). This vulnerability stems from configuration errors in network systems or products during operation. The following vulnerabilities have been reported to Siemens CERT and are now covered by by Siemens Security Advisory SSA-603476, published today (2016-11-21) and available at the following URL: http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf -- CVE-016-8672 --------------------------------------------------------- Summary: Lack of cookie protection for management web interface. The HttpOnly flag prevents client side scripts from accessing a cookie, mitigating cross-site scripting (XSS) attacks. The session cookie weaknesses, with particular reference to the lack of the Secure flag, highlight the need for a forced encrypted connection to the exposed web interface, in order to mitigate any hijacking of its credentials Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial Security team -- CVE-016-8673 --------------------------------------------------------- Summary: Cross-site request forgery for management web interface. Affected products: SIMATIC CP 343-1 Advanced: All versions < V3.0.53 SIMATIC CP 443-1 Advanced: All versions SIMATIC S7-300 CPU family: All firmware versions SIMATIC S7-400 CPU family: All firmware versions Description: The Cross-site request forgery (CSRF) class of attacks leverages on the trust that a logged in user gives to HTML content of unrelated origins, by triggering unauthorized commands via HTML links or scripts injected by the attacker in the browser context. The web management interface does not take advantage of any CSRF protection mechanism. This omission allows unauthorized POST requests to be issued by any JavaScript loaded in the user browser execution context, regardless of their origin. Given the fact that the affected products support POST requests, to upload Access Control List (ACL) configuration or customer specific actions, the lack of CSRF protection exposes the risk of unauthenticated management actions. Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial Security team ------------------------------------------------------------------------- -- Andrea Barisani Inverse Path Srl Chief Security Engineer -----> <-------- <andrea@inversepath.com> http://www.inversepath.com 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"

Trust: 2.79

sources: NVD: CVE-2016-8672 // JVNDB: JVNDB-2016-005922 // CNVD: CNVD-2016-11664 // BID: 94460 // IVD: 72bae294-54fe-4905-a053-bff375973da9 // VULHUB: VHN-97492 // PACKETSTORM: 139857

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 72bae294-54fe-4905-a053-bff375973da9 // CNVD: CNVD-2016-11664

AFFECTED PRODUCTS

vendor:siemensmodel:simatic s7 300 cpuscope:eqversion: -

Trust: 1.6

vendor:siemensmodel:simatic cp 443-1scope:eqversion: -

Trust: 1.6

vendor:siemensmodel:simatic cp 343-1scope:eqversion: -

Trust: 1.6

vendor:siemensmodel:simatic s7 400 cpuscope:eqversion: -

Trust: 1.6

vendor:siemensmodel:simatic cp 343-1scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic cp 343-1scope:ltversion:3.0.53 (advanced)

Trust: 0.8

vendor:siemensmodel:simatic cp 443-1scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic cp 443-1scope:eqversion:(advanced)

Trust: 0.8

vendor:siemensmodel:simatic s7-300 cpuscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic s7-300 cpuscope:eqversion: -

Trust: 0.8

vendor:siemensmodel:simatic s7-400 cpuscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic s7-400 cpuscope:eqversion: -

Trust: 0.8

vendor:siemensmodel:simatic s7-300 cpu family allscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic s7-400 cpu family allscope: - version: -

Trust: 0.6

vendor:siemensmodel:simatic s7-400 cpuscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic s7-300 cpuscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:simatic cp advancedscope:eqversion:443-10

Trust: 0.3

vendor:siemensmodel:simatic cp advancedscope:eqversion:343-10

Trust: 0.3

vendor:siemensmodel:simatic cp advancedscope:neversion:343-13.0.53

Trust: 0.3

vendor:simatic cp 343 1model: - scope:eqversion: -

Trust: 0.2

vendor:simatic s7 300 cpumodel: - scope:eqversion: -

Trust: 0.2

vendor:simatic s7 400 cpumodel: - scope:eqversion: -

Trust: 0.2

vendor:simatic cp 443 1model: - scope:eqversion: -

Trust: 0.2

sources: IVD: 72bae294-54fe-4905-a053-bff375973da9 // CNVD: CNVD-2016-11664 // BID: 94460 // JVNDB: JVNDB-2016-005922 // CNNVD: CNNVD-201611-530 // NVD: CVE-2016-8672

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8672
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-8672
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-11664
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201611-530
value: MEDIUM

Trust: 0.6

IVD: 72bae294-54fe-4905-a053-bff375973da9
value: MEDIUM

Trust: 0.2

VULHUB: VHN-97492
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-8672
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-11664
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 72bae294-54fe-4905-a053-bff375973da9
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-97492
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-8672
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: IVD: 72bae294-54fe-4905-a053-bff375973da9 // CNVD: CNVD-2016-11664 // VULHUB: VHN-97492 // JVNDB: JVNDB-2016-005922 // CNNVD: CNNVD-201611-530 // NVD: CVE-2016-8672

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-97492 // JVNDB: JVNDB-2016-005922 // NVD: CVE-2016-8672

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-530

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201611-530

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005922

PATCH

title:SSA-603476url:http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf

Trust: 0.8

title:Patch for SIMATICS7-300/S7-400CPUfamily Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/84737

Trust: 0.6

title:Multiple Siemens Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65865

Trust: 0.6

sources: CNVD: CNVD-2016-11664 // JVNDB: JVNDB-2016-005922 // CNNVD: CNNVD-201611-530

EXTERNAL IDS

db:NVDid:CVE-2016-8672

Trust: 3.7

db:SIEMENSid:SSA-603476

Trust: 2.7

db:ICS CERTid:ICSA-16-327-02

Trust: 1.7

db:CNNVDid:CNNVD-201611-530

Trust: 0.9

db:BIDid:94460

Trust: 0.9

db:CNVDid:CNVD-2016-11664

Trust: 0.8

db:JVNDBid:JVNDB-2016-005922

Trust: 0.8

db:IVDid:72BAE294-54FE-4905-A053-BFF375973DA9

Trust: 0.2

db:PACKETSTORMid:139857

Trust: 0.2

db:VULHUBid:VHN-97492

Trust: 0.1

sources: IVD: 72bae294-54fe-4905-a053-bff375973da9 // CNVD: CNVD-2016-11664 // VULHUB: VHN-97492 // BID: 94460 // JVNDB: JVNDB-2016-005922 // PACKETSTORM: 139857 // CNNVD: CNNVD-201611-530 // NVD: CVE-2016-8672

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-603476.pdf

Trust: 1.7

url:https://ics-cert.us-cert.gov/advisories/icsa-16-327-02

Trust: 1.1

url:http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8672

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8672

Trust: 0.8

url:https://www.us-cert.gov/ics/advisories/icsa-16-327-02

Trust: 0.6

url:http://www.siemens.com/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-8672

Trust: 0.1

url:http://www.inversepath.com

Trust: 0.1

sources: CNVD: CNVD-2016-11664 // VULHUB: VHN-97492 // BID: 94460 // JVNDB: JVNDB-2016-005922 // PACKETSTORM: 139857 // CNNVD: CNNVD-201611-530 // NVD: CVE-2016-8672

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 94460

SOURCES

db:IVDid:72bae294-54fe-4905-a053-bff375973da9
db:CNVDid:CNVD-2016-11664
db:VULHUBid:VHN-97492
db:BIDid:94460
db:JVNDBid:JVNDB-2016-005922
db:PACKETSTORMid:139857
db:CNNVDid:CNNVD-201611-530
db:NVDid:CVE-2016-8672

LAST UPDATE DATE

2024-08-14T14:20:43.061000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2016-11664date:2016-11-30T00:00:00
db:VULHUBid:VHN-97492date:2019-12-12T00:00:00
db:BIDid:94460date:2016-11-24T00:16:00
db:JVNDBid:JVNDB-2016-005922date:2016-11-24T00:00:00
db:CNNVDid:CNNVD-201611-530date:2019-12-27T00:00:00
db:NVDid:CVE-2016-8672date:2019-12-12T19:15:12.420

SOURCES RELEASE DATE

db:IVDid:72bae294-54fe-4905-a053-bff375973da9date:2016-11-30T00:00:00
db:CNVDid:CNVD-2016-11664date:2016-11-30T00:00:00
db:VULHUBid:VHN-97492date:2016-11-23T00:00:00
db:BIDid:94460date:2016-11-21T00:00:00
db:JVNDBid:JVNDB-2016-005922date:2016-11-24T00:00:00
db:PACKETSTORMid:139857date:2016-11-22T23:16:23
db:CNNVDid:CNNVD-201611-530date:2016-11-24T00:00:00
db:NVDid:CVE-2016-8672date:2016-11-23T11:59:00.153