Siemens SIMATIC S7-1200 CPU Family Version 4

Plan Patch7.5ICS-CERT ICSA-18-282-04Oct 9, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

SIMATIC S7-1200 CPU family versions before 4.2.3 are vulnerable to cross-site request forgery (CSRF) attacks through the PLC's web interface. An attacker can craft a malicious website that, when visited by an authenticated PLC user, exploits the lack of CSRF token protection to perform unauthorized actions on the PLC such as modifying configuration settings or accessing sensitive data. The vulnerability requires the user to click a malicious link while authenticated to the PLC web interface. High skill level is needed to exploit this vulnerability. Siemens recommends updating to firmware version 4.2.3 or later, and advises users to avoid visiting other websites while authenticated to the PLC interface. Network isolation and firewall controls are recommended as defense-in-depth measures.

What this means

What could happen

An attacker with network access to the PLC web interface could steal sensitive configuration or authentication data, or alter PLC settings to disrupt operations. The vulnerability requires convincing a legitimate user to click a malicious link while authenticated.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities using SIMATIC S7-1200 PLCs for process control should be concerned. This affects any PLC in firmware versions before 4.2.3 that has its web interface accessible to engineering workstations or management networks.

How it could be exploited

An attacker crafts a malicious website and sends a link to a PLC operator or engineer who is actively authenticated to the S7-1200 web interface. When the user clicks the link and visits the attacker's site, the browser executes JavaScript in the attacker's domain with the victim's active PLC session credentials, allowing the attacker to make unauthorized changes to the PLC configuration or read sensitive data.

Prerequisites

Network access to the PLC web interface port (HTTP/HTTPS)
An authorized user must be actively authenticated to the PLC web interface
The user must click on an attacker-supplied link while the authenticated session is active
User must visit the attacker's malicious website

remotely exploitablerequires user interactionCSRF vulnerabilityaffects industrial process controlhigh complexity attack

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC S7-1200 CPU family<V4.2.3v4.2.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDInstruct users not to visit untrusted websites while authenticated to the PLC interface; implement policy against accessing external websites during PLC engineering sessions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU firmware to version 4.2.3 or later

Long-term hardening

0/3

HARDENINGRestrict network access to PLC web interface using firewall rules; only allow authenticated engineering workstations and management systems

HARDENINGIsolate S7-1200 PLCs from the business network; place them on a dedicated control network segment

HARDENINGDisable unnecessary remote access services; use VPN with multi-factor authentication for any required remote engineering sessions

CVEs (1)

CVE-2018-13800

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e9a2802-1694-46a3-a519-6f1bdbfa5be3