CVE-2016-8672 in SIMATIC CP 343-1
Summary
by MITRE
A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) (All versions). The integrated web server delivers cookies without the "secure" flag. Modern browsers interpreting the flag would mitigate potential data leakage in case of clear text transmission.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/04/2022
This vulnerability affects Siemens industrial automation products including various CP and S7 CPU modules that incorporate integrated web servers for remote configuration and monitoring. The flaw resides in the web server implementation where session cookies are transmitted without the secure flag, creating a significant security risk in industrial environments. The affected devices include SIMATIC CP 343-1 Advanced, CP 443-1 Advanced, S7-300 PN/DP CPU family, and S7-400 PN/DP CPU family across multiple variants and versions. When cookies lack the secure flag, they can be transmitted over unencrypted HTTP connections, making them susceptible to interception during network traffic analysis.
The technical implementation flaw stems from improper cookie attribute configuration within the embedded web server software components of these industrial controllers. The secure flag is a critical HTTP cookie attribute that instructs web browsers to only transmit the cookie over HTTPS connections, encrypting the communication channel. Without this flag, even when organizations implement HTTPS for web access, the session management remains vulnerable to man-in-the-middle attacks and network sniffing operations. This vulnerability directly maps to CWE-614, which addresses insecure cookies that are transmitted over unencrypted channels, and represents a fundamental flaw in the web application security implementation of these industrial devices.
The operational impact of this vulnerability is particularly concerning for industrial control systems where these devices often operate in environments with limited network segmentation and where clear text communication may be prevalent. In scenarios where attackers can intercept network traffic, they could capture session cookies and potentially impersonate authorized users to access industrial control interfaces. This risk is exacerbated in environments where these devices might be accessed over untrusted networks or where network monitoring is present. The vulnerability creates a pathway for lateral movement within industrial networks and could enable attackers to gain unauthorized access to critical control functions, potentially leading to operational disruption or safety system compromise.
Organizations should implement immediate mitigations including network segmentation to isolate these devices from untrusted networks, enforcing mandatory HTTPS usage with certificate validation, and deploying network monitoring solutions to detect potential cookie interception attempts. The recommended long-term solution involves updating all affected devices to versions that properly implement the secure cookie flag, specifically targeting V3.0.53 for CP 343-1 and V3.2.17 for CP 443-1. Additionally, implementing network access controls, disabling unnecessary web services, and conducting regular security assessments of industrial control systems aligns with NIST SP 800-82 guidelines for industrial control system security. This vulnerability demonstrates the importance of applying security best practices to embedded industrial systems and highlights the need for comprehensive security testing of all network services within operational technology environments.