This evening the DHS ICS-CERT published an advisory for 9 separate vulnerabilities in the Siemens S7-1500 CPU firmware. The vulnerabilities were identified by Siemens and a variety of researchers from Positive Technologies. Siemens has produced a firmware update that mitigates the vulnerabilities.
The vulnerabilities include:
• Cross-site request forgery, CVE-2014-2249;
• Cross-site scripting, CVE-2014-2246;
• Improper neutralization of script-related html tags in a web page, CVE-2014-2247;
• Insufficient entropy, CVE-2014-2251;
• Url redirection to untrusted site, CVE-2014-2248;
• Improper resource shutdown or release, CVE-2014-2259;
• Improper resource shutdown or release, CVE-2014-2253;
• Mproper resource shutdown or release, CVE-2014-2255; and
• Improper resource shutdown or release, CVE-2014-2257;
NOTE: The CVE links will be active in a few days.
ICS-CERT reports that these vulnerabilities can be remotely exploited (some only with specific user actions) by a moderately skilled attacker to executed a variety of DoS attacks. The Siemens ProductCERT advisory provides a little more detail on the access required; noting that:
• For vulnerability 1, 2, 3 and 5 the attacker must trick users of the devices to open malicious web pages. Usage of modern browsers may reduce the probability of successful exploitation.
• For vulnerability 7 the attacker must have access to the local Ethernet segment.
• All other vulnerabilities require network access to the port.
I noted in the title that this advisory is late. Siemens published their advisory on Wednesday morning CDT. They also pushed the information via a TWEET®. It is a tad bit embarrassing to have to report 9 vulnerabilities in a product that has been touted as an example of the new security engineering standards of Siemens; but they sucked it up and did it in a proactive and very public way.