Full Report
The web interface of SIMATIC S7-1200 CPUs before V4.7 is affected by a cross-site request forgery (CSRF) vulnerability. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: CSRF in SIMATIC S7-1200 Web Interface
## CVE Details
- **CVE ID:** CVE-2024-47100
- **CVSS Score:**
- CVSS v3.1: 7.1 (High)
- CVSS v4.0: 7.2 (High)
- **CWE:** CWE-352: Cross-Site Request Forgery (CSRF)
## Affected Systems
- **Products:**
- SIMATIC S7-1200 CPU family V4 (including SIPLUS variants)
- Specific models include 1211C, 1212C, 1212FC, and others in the V4 family.
- **Versions:** All firmware versions prior to V4.7.
- **Configurations:** Systems where the integrated web interface is enabled and accessible.
## Vulnerability Description
The integrated web interface of affected SIMATIC S7-1200 CPUs does not sufficiently verify the origin of requests. An unauthenticated attacker can craft a malicious link or web page that, if visited by a legitimate user currently authenticated to the CPU's web interface, triggers unauthorized actions. Specifically, this flaw allows an attacker to change the CPU operating mode (e.g., switching the PLC from RUN to STOP), which can disrupt industrial processes.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Interaction:** Required (Tricking an authenticated user into clicking a link).
## Impact
- **Confidentiality:** None
- **Integrity:** Low (Ability to modify CPU states/settings).
- **Availability:** High (Can be used to stop the CPU and halt industrial operations).
## Remediation
### Patches
- **Update to Firmware V4.7 or later.**
- Downloads available via Siemens Support: hXXps://support.industry.siemens.com/cs/ww/en/view/109976907/
### Workarounds
- **Disable the Web Server:** If the web interface is not required for operations, disable it in the TIA Portal configuration to eliminate the attack surface.
- **Restrict Access:** Use industrial firewalls or VPNs to ensure the web interface is not accessible from untrusted networks.
- **Standard Security Practices:** Avoid browsing the external internet or clicking unknown links while logged into the industrial control system's web interface.
## Detection
- **Indicators of Compromise:** Unexpected CPU mode transitions (RUN to STOP) recorded in the diagnostic buffer without a local operator's action.
- **Detection Methods:** Monitor network traffic for unusual cross-origin requests targeting the PLC IP address. Review web server access logs if exported to an external SIEM.
## References
- **Siemens Security Advisory:** hXXps://cert-portal.siemens.com/productcert/pdf/ssa-717113.pdf
- **Siemens Industrial Security Guidelines:** hXXps://www.siemens.com/cert/operational-guidelines-industrial-security
- **General Advisory Page:** hXXps://www.siemens.com/cert/advisories