ICSA-19-043-06 Siemens CP1604 and CP1616 (Update A)
Act Now9.1ICS-CERT ICSA-19-043-06Jan 8, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens CP 1604 and CP 1616 communication processors contain critical vulnerabilities in the integrated web server that allow remote code execution without authentication. The issues involve cleartext transmission of sensitive data (CWE-319), cross-site scripting (CWE-79), and cross-site request forgery (CWE-352). The web server is disabled by default, but if enabled for remote management, an attacker on the network can send malicious HTTP requests or trick operators into clicking crafted links to execute code on the device. Fixes are available in version 2.8 and interim updates for versions 2.5, 2.6, and 2.7.
What this means
What could happen
An attacker with network access could execute code on the CP 1604 or CP 1616 communication processor, potentially altering industrial process logic, interrupting communications between control devices, or extracting sensitive configuration data. This could disrupt operation of the production systems these modules control.
Who's at risk
Facilities running Siemens CP 1604 or CP 1616 communication processors in manufacturing, water treatment, power distribution, and other industrial automation environments should assess these devices. The CP modules are used to connect and relay data between programmable logic controllers (PLCs) and other control devices, making them critical to plant operations.
How it could be exploited
An attacker sends a specially crafted HTTP request to the integrated web server on port 80/TCP of the communication processor, or crafts a malicious link that tricks an operator into clicking it. The vulnerability allows code execution without authentication, giving the attacker the ability to run arbitrary commands with the privileges of the web server process.
Prerequisites
- Network access to the communication processor on port 80/TCP (HTTP) or port 23/TCP (telnet)
- Integrated web server must be enabled (disabled by default)
- No credentials required for exploitation
Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.1)Affects industrial communication and control systemsWeb server not enabled by default limits exposure
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
CP 1604All versions2.8 and follow recommendations from Section Workarounds and Mitigations
CP 1616All versions2.8 and follow recommendations from Section Workarounds and Mitigations
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDisable the integrated web server if not in use (this is the default setting)
HARDENINGRestrict network access to the communication processor to trusted IP addresses only, using firewall rules on port 80/TCP and 23/TCP
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
CP 1604
HOTFIXUpdate CP 1604 to firmware version 2.8 or later, or apply interim fix versions 2.5.2.7, 2.6.2.2, or 2.7.2.1
CP 1616
HOTFIXUpdate CP 1616 to firmware version 2.8 or later, or apply interim fix versions 2.5.2.7, 2.6.2.2, or 2.7.2.1
Long-term hardening
0/1HARDENINGPlace the communication processor on an isolated internal network or VPN, restricting access from the Internet and business network
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aaa24379-d5dc-44df-a6f4-650456fa8052