Siemens SIPROTEC 5 Insufficient Session ID Randomness Leads to Session Hijacking (CVE-2024-54017)

Multiple Siemens SIPROTEC 5 devices are affected by a vulnerability (CVE-2024-54017) stemming from the use of insufficiently random numbers in generating session identifiers. This weakness could be exploited by an unauthenticated remote attacker to conduct a brute-force attack against a valid session identifier. Successful exploitation grants the attacker unauthorized read access to limited information from the web server. The affected products include a range of SIPROTEC 5 devices, specifically versions below V11.0 for certain models. Siemens is preparing fixes and recommends countermeasures where fixes are not yet available. This vulnerability impacts critical infrastructure sectors, particularly critical manufacturing, where these devices are deployed worldwide.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable SIPROTEC 5 device exposed on a network.
2. The attacker sends an initial HTTP request to the device’s web server to initiate a session.
3. The device generates a session identifier based on an insufficiently random number generator.
4. The attacker begins a brute-force attack, attempting different session identifier values.
5. The attacker sends subsequent HTTP requests with each guessed session identifier.
6. If a guessed session identifier matches a valid active session, the device grants the attacker access.
7. The attacker gains unauthorized read access to limited information from the web server.
8. The attacker may be able to glean sensitive configuration details or operational data.

Impact

Successful exploitation of CVE-2024-54017 could allow an unauthenticated attacker to gain unauthorized read access to sensitive information from vulnerable Siemens SIPROTEC 5 devices. The impact is limited to read access, but exposed configuration data or operational parameters could provide valuable information to an attacker for further malicious activity. The vulnerability affects a wide range of SIPROTEC 5 devices deployed globally, particularly in critical manufacturing sectors.

Recommendation

• Apply available updates to V11.0 or later versions for affected SIPROTEC 5 devices as provided by Siemens to remediate CVE-2024-54017.
• Monitor web server logs for unusual patterns of requests with different session identifiers, indicative of brute-force attempts targeting CVE-2024-54017. Use the provided Sigma rule to detect these patterns.
• Implement network segmentation and firewalls to restrict access to SIPROTEC 5 devices and minimize network exposure, as mentioned in the CISA advisory.