The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the client’s IP address so an attacker could then hijack the admin’s Web-based session while managing the switch. “But you don’t log onto these switches very often — maybe once a year– so, in that sense, it’s a weak vulnerability,” he says.
The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch — no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. “The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it],” he says.