Missing CSRF Protection in the Web Server Login Page of Industrial Controllers
Monitor6.5SSA-478960Nov 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The web server login page in affected Siemens SIMATIC controllers lacks proper Cross-Site Request Forgery (CSRF) protection. An authenticated attacker could exploit this by crafting a malicious webpage that, when visited by a logged-in engineer, sends forged requests to the controller to determine if the user is still authenticated. This allows tracking of engineering access patterns. The vulnerability requires the victim to already be logged in and to visit a malicious site controlled by the attacker; it does not permit unauthorized login, credential theft, or direct alteration of controller logic or process parameters. Affects SIMATIC S7-300, S7-400, S7-1200, S7-1500 CPUs, ET 200 series, Drive Controllers, and WinCC Runtime Advanced software.
What this means
What could happen
An authenticated attacker could trick a logged-in engineer or operator into visiting a malicious website, which would allow the attacker to detect when that user is logged in and potentially infer information about plant operations. However, the attacker cannot directly alter controller settings or stop operations through this vulnerability alone.
Who's at risk
Siemens SIMATIC industrial control systems used in manufacturing and transportation. This includes PLC families (S7-300, S7-400, S7-1200, S7-1500), distributed I/O modules (ET 200 series), drive controllers, and HMI/runtime software. Primarily affects facilities where engineers and operators use web browsers to access and configure PLCs.
How it could be exploited
An attacker creates a malicious webpage and tricks an engineer into visiting it (via phishing email or social engineering). While the engineer is logged into a vulnerable Siemens PLC web interface, the malicious page sends forged requests to the controller to probe whether the user is still authenticated, allowing the attacker to track when engineers access the system.
Prerequisites
- Engineering workstation or HMI with web browser access to controller port 80 or 443
- Victim must already be logged into the controller's web interface in another browser tab
- Victim must visit attacker-controlled website while logged in
Remotely exploitableRequires user interaction (victim must visit malicious site)Low complexity exploitationAffects information disclosure only (not direct process control)Many products have no fix available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (121)
99 with fix22 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF< V2.9.72.9.7
SIMATIC Drive Controller CPU 1507D TF< V2.9.72.9.7
SIMATIC ET 200pro IM154-8 PN/DP CPU< V3.2.193.2.19
SIMATIC ET 200pro IM154-8F PN/DP CPU< V3.2.193.2.19
SIMATIC ET 200pro IM154-8FX PN/DP CPU< V3.2.193.2.19
Remediation & Mitigation
0/17
Do now
0/3SIMATIC PC Station
WORKAROUNDFor SIMATIC PC Station with no fix available: Restrict web server access to PLC to trusted engineering networks only using firewall rules on port 80/443
All products
WORKAROUNDFor S7-1500 CPU variants with no fix available (1510SP F-1 PN, 1510SP-1 PN, 1511-1 PN, 1511F-1 PN, 1512SP F-1 PN, 1512SP-1 PN, 1513-1 PN, 1513F-1 PN, 1515-2 PN, 1515F-2 PN, 1516-3 PN/DP, 1516F-3 PN/DP): Restrict web server access to PLC to trusted engineering networks only using firewall rules on port 80/443
WORKAROUNDFor S7-400 PN/DP V6 and V7 CPU families with no fix available: Restrict web server access to PLC to trusted engineering networks only using firewall rules on port 80/443
Schedule — requires maintenance window
0/12Patching may require device reboot — plan for process interruption
SIMATIC S7-300 CPU 314C-2 PN/DP
HOTFIXUpdate SIMATIC S7-300 CPU 314C-2 PN/DP to version 3.3.19 or later
SIMATIC ET 200pro IM154-8 PN/DP CPU
HOTFIXUpdate SIMATIC ET 200pro IM154-8 PN/DP CPU, IM154-8F PN/DP CPU, IM154-8FX PN/DP CPU and SIMATIC ET 200S IM151-8 PN/DP CPU, IM151-8F PN/DP CPU to version 3.2.19 or later
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF and 1507D TF to version 2.9.7 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 5.0 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to version 17 Update 5 or later
SINUMERIK ONE
HOTFIXUpdate SINUMERIK ONE to version 6.22 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPU family to version 4.6.0 or later
HOTFIXUpdate SIMATIC S7-300 CPU 315-2, 315F-2, 315T-3, 317-2, 317F-2, 317T-3, 317TF-3, 319-3, and 319F-3 PN/DP to version 3.2.19 or later
HOTFIXUpdate SIMATIC S7-1500 CPU variants (1510SP F-1, 1510SP-1, 1511-1, 1511C-1, 1511F-1, 1511T-1, 1511TF-1, 1512C-1, 1512SP-1, 1513-1, 1513F-1, 1513R-1) to version 2.9.7 or later
HOTFIXUpdate SIMATIC S7-1500 CPU variants (1515-2, 1515F-2, 1515R-2, 1515T-2, 1515TF-2, 1516-3, 1516F-3) to version 2.9.7 or later
HOTFIXUpdate SIMATIC S7-1500 CPU variants (1516T-3, 1516TF-3, 1517-3, 1517F-3, 1517H-3, 1517T-3, 1517TF-3, 1518-4, 1518F-4, 1518HF-4, 1518T-4, 1518TF-4) to version 3.0.1 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9.7 or later
Long-term hardening
0/2HARDENINGSegment engineering workstations and HMI systems from the general corporate network; place all systems that access controller web interfaces on a separate VLAN with restricted outbound internet access
HARDENINGImplement network segmentation so engineering workstations cannot freely browse the internet while connected to the control network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d0792f9e-72dd-4614-9536-6abe9cb150e6