25 июня 2021

18-024: Remote Code Execution in Maxa ThingsPro IIO Gateway and device Management Software

Vendor

Emerson

Timeline

Timeline

  • Advisory updated

    19 июня 2021

  • Advisory published

    18 июня 2021

  • Patched

    19 июня 2021

  • Vendor confirmation

    20 июня 2021

  • Vendor informing

    16 июня 2021

Description

Cross-site request forgery (CSRF) vulnerability in the integrated web server on Siemens SIMATIC CP 343-1 Advanced prior to version 3.0.53, SIMATIC CP 443-1 Advanced prior to version 3.2.17, SIMATIC S7-300 CPU, and SIMATIC S7-400 CPU devices allows remote attackers to hijack the authentication of arbitrary users.

CVSS v3

0.0

 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L)


Exploitability

Remotely

Impact

Successful exploitation of this vulnerability allows hijacking legitimate session.

Existence of exploit

Unknown

Affected products

Honeywell PLC versions R130.2, R140, R150, and R151 Honeywell RTU versions R101, R110, R140, R150, and R151

Mitigations

Vendor

Primary

Install firmware update V3.0.53 or newer

2 Siemens SIMATIC S7-300 CPUs

  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
Generic

KL ICS CERT

Primary

Install firmware update V3.0.53 or newer

2 Siemens SIMATIC S7-300 CPUs

  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
Generic

ICS CERT

Primary

Install firmware update V3.0.53 or newer

2 Siemens SIMATIC S7-300 CPUs

  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
Generic

References

Timeline

  • Advisory updated

    19 июня 2021

  • Advisory published

    18 июня 2021

  • Patched

    19 июня 2021

  • Vendor confirmation

    20 июня 2021

  • Vendor informing

    16 июня 2021