Siemens has a workaround and mitigation to handle a cross-site scripting vulnerability in its IE/WSN-PA Link WirelessHART Gateway, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, which Siemens self-reported, could allow information disclosure, code execution, or denial-of-service. All versions of IE/WSN-PA Link WirelessHART Gateway are affected.
In the vulnerability, an attacker sending a malicious link to an unsuspecting user may be able to execute a cross-site scripting attack, which may allow information disclosure, code execution, or denial-of-service.
CVE-2019-13923 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. High skill level is needed to exploit.
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk: Only access links from trusted sources in the browser used to configure IE/WSN-PA Link.
As a general security measure, Siemens recommends users protect network access to devices with appropriate mechanisms.
In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for industrial security, and follow the recommendations in the product manuals.
Click here for additional information on industrial security by Siemens.
For more information, see Siemens Security Advisory SSA-191683.