CVE-2017-5156 in Wonderware InTouch
Summary
by MITRE
A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/19/2020
The vulnerability identified as CVE-2017-5156 represents a critical cross-site request forgery flaw in Schneider Electric Wonderware InTouch Access Anywhere version 11.5.2 and earlier. This weakness stems from insufficient validation of the origin of client requests within the web application framework, allowing malicious actors to craft forged requests that appear to originate from legitimate users. The vulnerability specifically affects the authentication and authorization mechanisms that govern access to internal remote desktop protocol systems, creating a significant security risk for industrial control environments.
The technical implementation of this CSRF vulnerability occurs through the improper handling of stateful requests within the web application interface. When a user authenticates to the Wonderware InTouch Access Anywhere system, the application establishes a session that should be maintained and validated for subsequent requests. However, the flawed implementation fails to properly verify that requests originate from the legitimate application interface rather than external malicious domains. This oversight enables attackers to construct specially crafted web pages or documents that, when visited by an authenticated user, automatically submit requests to the vulnerable system.
The operational impact of this vulnerability extends beyond typical web application attacks, particularly within industrial control system environments where the consequences of unauthorized access can be severe. An attacker exploiting this CSRF vulnerability can leverage the authenticated session of a legitimate user to gain access to internal remote desktop protocol systems without requiring additional authentication credentials. This creates a pathway for lateral movement within the industrial network infrastructure, potentially allowing unauthorized personnel to access critical control systems and manipulate industrial processes.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and maps to several ATT&CK techniques including T1190 for Exploit Public-Facing Application and T1071.004 for Application Layer Protocol. The attack vector typically involves the delivery of malicious content through phishing emails, compromised websites, or social engineering tactics that entice authenticated users to interact with malicious web content. Once triggered, the forged requests can execute actions that are normally restricted to authorized users, effectively bypassing the authentication mechanisms.
Mitigation strategies for CVE-2017-5156 should include immediate implementation of anti-CSRF tokens within all state-changing requests, proper validation of the referer header, and implementation of SameSite cookie attributes. Organizations should also consider implementing network segmentation to limit access to internal RDP systems and deploy web application firewalls to detect and block suspicious requests. The most effective long-term solution involves upgrading to Schneider Electric Wonderware InTouch Access Anywhere version 11.5.3 or later, which includes proper CSRF protection mechanisms. Additionally, security awareness training for personnel who interact with industrial control systems can help prevent successful exploitation through social engineering approaches.