Yesterday the DHS ICS-CERT published a control system security advisory for the Siemens SCALANCE X-200 switch family. The Web session hijack vulnerability was reported by Eireann Leverett of IOActive in a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to hijack a Web session due to insufficient entropy in the switch’s random number generator. This could allow an attacker to change device configurations.
ICS-CERT reports that Siemens has produced a firmware upgrade that remediates the vulnerability. There is no indication in the advisor or the Siemens-CERT advisory that Leverett or IOActive have verified the efficacy of the upgrade.