16 July 2019

Dangerous vulnerabilities in Siemens TIA Administrator, SIMATIC WinCC and PCS7

A new vulnerability, CVE-2019-10935, has been identified in several Siemens SIMATIC WinCC and PCS7 industrial solutions, which can cause a denial-of-service condition on the affected service or device.

The vulnerability affects the following products:

  • SIMATIC PCS 7 v8.0 и 1 (all versions)
  • SIMATIC PCS 7 v8.2 – all versions prior to v8.2 SP1 with WinCC v7.4 SP1 Upd 11
  • SIMATIC PCS 7 v9.0 – all versions prior to v9.0 SP2 with WinCC v7.4 SP1 Upd 11
  • all versions of SIMATIC WinCC Professional (TIA Portal v13, v14 and v15)
  • all versions of SIMATIC WinCC Runtime Professional v13, v14 and v15
  • SIMATIC WinCC v7.2 and earlier (all versions)
  • SIMATIC WinCC v7.3 (all versions)
  • SIMATIC WinCC v7.4 (all versions prior to v7.4 SP1 Upd 11)
  • SIMATIC WinCC v7.5 (all versions prior to v7.5 Upd 3)

The vulnerability can affect the confidentiality, integrity and availability of the affected device. It is based on the possibility of loading dangerous files. The SIMATIC WinCC DataMonitor web application allows authenticated users with network access to the WinCc DataMonitor application to upload arbitrary ASPX code. Successful exploitation of this vulnerability does not require user interaction.

CVE-2019-10935 can be exploited remotely but is relevant only when the threat actor has access via еthe web interface, but not to the directory structure. It has been given a score of 7.2 on the CVSS v3 scale.

Siemens is continuing work on updates for the other products affected by this vulnerability.

Finally, the dangerous CVE-2019-10915 vulnerability has been identified in the Siemens Tia Administrator (TIA Portal). It could allow attackers to execute certain commands without proper authentication. This improper access control vulnerability affects all versions prior to v1.0 SP1 Udp1. This vulnerability has been assigned a base score of 8 on the CVSS v3 scale.

The vendor recommends updating the application to v1.0 SP1 Upd1 or later and also restricting access to port 888/TCP to localhost (by default).

Sources: ICS-CERT, Siemens