ICSA-19-043-06 Siemens CP1604 and CP1616 (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-19-043-06Jan 8, 2019

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens CP 1604 and CP 1616 communication processors contain critical vulnerabilities in the integrated web server that allow remote code execution without authentication. The issues involve cleartext transmission of sensitive data (CWE-319), cross-site scripting (CWE-79), and cross-site request forgery (CWE-352). The web server is disabled by default, but if enabled for remote management, an attacker on the network can send malicious HTTP requests or trick operators into clicking crafted links to execute code on the device. Fixes are available in version 2.8 and interim updates for versions 2.5, 2.6, and 2.7.

What this means

What could happen

An attacker with network access could execute code on the CP 1604 or CP 1616 communication processor, potentially altering industrial process logic, interrupting communications between control devices, or extracting sensitive configuration data. This could disrupt operation of the production systems these modules control.

Who's at risk

Facilities running Siemens CP 1604 or CP 1616 communication processors in manufacturing, water treatment, power distribution, and other industrial automation environments should assess these devices. The CP modules are used to connect and relay data between programmable logic controllers (PLCs) and other control devices, making them critical to plant operations.

How it could be exploited

An attacker sends a specially crafted HTTP request to the integrated web server on port 80/TCP of the communication processor, or crafts a malicious link that tricks an operator into clicking it. The vulnerability allows code execution without authentication, giving the attacker the ability to run arbitrary commands with the privileges of the web server process.

Prerequisites

Network access to the communication processor on port 80/TCP (HTTP) or port 23/TCP (telnet)
Integrated web server must be enabled (disabled by default)
No credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.1)Affects industrial communication and control systemsWeb server not enabled by default limits exposure

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CP 1604All versions2.8 and follow recommendations from Section Workarounds and Mitigations

CP 1616All versions2.8 and follow recommendations from Section Workarounds and Mitigations

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the integrated web server if not in use (this is the default setting)

HARDENINGRestrict network access to the communication processor to trusted IP addresses only, using firewall rules on port 80/TCP and 23/TCP

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

CP 1604

HOTFIXUpdate CP 1604 to firmware version 2.8 or later, or apply interim fix versions 2.5.2.7, 2.6.2.2, or 2.7.2.1

CP 1616

HOTFIXUpdate CP 1616 to firmware version 2.8 or later, or apply interim fix versions 2.5.2.7, 2.6.2.2, or 2.7.2.1

Long-term hardening

0/1

HARDENINGPlace the communication processor on an isolated internal network or VPN, restricting access from the Internet and business network

CVEs (3)

CVE-2018-13808 CVE-2018-13809 CVE-2018-13810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aaa24379-d5dc-44df-a6f4-650456fa8052

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.