OTPulse
FeedAboutContact

Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal)

Monitor4.3ICS-CERT ICSA-18-317-03Nov 13, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CWE-113 (Improper Neutralization of HTTP Response Splitting) in Siemens SIMATIC HMI panels and WinCC. An attacker can inject arbitrary HTTP headers via a malicious request to the web server, which could result in cache poisoning, session fixation, or malware injection to operators using the affected HMI devices. Affects SIMATIC HMI Comfort Panels, HMI Outdoor Panels, HMI KTP Mobile Panels, HMI Classic Devices, WinCC Runtime Advanced, WinCC Runtime Professional, and WinCC (TIA Portal).

What this means
What could happen
An attacker could inject malicious content into HTTP responses from the HMI web server, potentially poisoning operator sessions or redirecting plant personnel to phishing pages. This could compromise operator decisions or lead to unauthorized process modifications.
Who's at risk
Manufacturing facilities using Siemens SIMATIC HMI panels for process monitoring and control, including operators who view the HMI web interface. Affected devices include Comfort Panels (4–22"), Outdoor Panels (7–15"), KTP Mobile Panels, and WinCC engineering/runtime installations. Any HMI operator station or remote interface in a manufacturing environment is potentially impacted.
How it could be exploited
An attacker with network access to the HMI device's web server (typically TCP 80 or 443) sends a specially crafted HTTP request containing newline characters and arbitrary headers. The vulnerable web server fails to sanitize the input and reflects it in the HTTP response, allowing the attacker to inject cache-poisoning headers or malicious content that the operator's browser executes.
Prerequisites
  • Network access to the HMI web server port (port 80 or 443 by default)
  • The HMI device must have the web server enabled
  • The operator must interact with the affected web interface (user-initiated interaction required)
Remotely exploitableLow attack complexityUser interaction required (operator clicks/accesses interface)No authentication requiredAffects HMI/operator interface (impacts situational awareness)No patch available for Classic Devices
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (7)
5 with fix1 pending1 EOL
ProductAffected VersionsFix Status
SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F: All<V14No fix yet
SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): All<V14v15 Update 4 or newer
SIMATIC WinCC Runtime Advanced: All<V14v15 Update 4
SIMATIC WinCC Runtime Professional: All<V14v15 Update 4
SIMATIC WinCC (TIA Portal): All<V14v15 Update 4
SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versionsAll versionsNo fix (EOL)
SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): All<V14v15 Update 4
Remediation & Mitigation
0/11
Do now
0/2
WORKAROUNDFor SIMATIC HMI Classic Devices: Disable the web server if it is not required for operations
WORKAROUNDFor SIMATIC HMI Classic Devices: Restrict network access to the integrated web server using firewall rules or network segmentation
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

SIMATIC WinCC (TIA Portal): All
HOTFIXUpdate SIMATIC WinCC (TIA Portal) to version 15 Update 4 or newer
All products
HOTFIXUpdate SIMATIC HMI Comfort Panels to version 15 Update 4 or newer
HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels to version 15 Update 4 or newer
HOTFIXUpdate SIMATIC HMI KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900, KTP900F) to version 15 Update 4 or newer
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to version 15 Update 4 or newer
HOTFIXUpdate SIMATIC WinCC Runtime Professional to version 15 Update 4 or newer
Mitigations - no patch available
0/3
SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate HMI devices from the business network and Internet
HARDENINGMinimize network exposure for HMI devices; ensure they are not directly accessible from the Internet
HARDENINGUse VPN for remote access to HMI devices when necessary
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4165a3b5-9fa8-4a7d-b732-00b0ffb850da