16 May 2019

KLCERT-19-025: Siemens SIMATIC WinCC and SIMATIC PCS 7 remote code execution using specially crafted project files

Vendor

Siemens

Timeline

Timeline

  • Kaspersky ICS CERT advisory updated

    26 January 2024

  • Kaspersky ICS CERT advisory published

    15 May 2019

  • Vendor releases patch

    May 2019

  • Vulnerabilities acknowledged by Vendor

    December 2018

  • Vulnerabilities reported

    December 2018

Description

An attacker with access to the project file could run arbitrary system commands with the privileges of the local database server. The vulnerability could be exploited by an attacker with access to the project file. The vulnerability does impact the confidentiality, integrity, and availability of the affected system.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Existence of exploit

PoC

Affected products

SIMATIC PCS 7 V8.0 and earlier: All versions
SIMATIC PCS 7 V8.1: All versions
SIMATIC PCS 7 V8.2: All versions
SIMATIC PCS 7 V9.0: All versions
SIMATIC WinCC (TIA Portal) V13: All versions
SIMATIC WinCC (TIA Portal) V14: All versions
SIMATIC WinCC (TIA Portal) V15: All versions
SIMATIC WinCC Runtime Professional: All versions
SIMATIC WinCC V7.2 and earlier: All versions
SIMATIC WinCC V7.3: All versions
SIMATIC WinCC V7.4: All versions
SIMATIC WinCC V7.5: All versions < V7.5 Upd3

Mitigation

Vendor mitigation

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • Apply Defense-in-Depth
  • Enable “Encrypted communication” in SIMATIC WinCC and SIMATIC PCS 7.
  • Only open project files from trusted locations.
Product Versions Mitigations
SIMATIC PCS 7 <8.1.0.0 Update WinCC to V7.3 Upd 19
https://support.industry.siemens.com/cs/ww/en/view/109768972
SIMATIC PCS 7 >=8.2.0.0;
<8.2.1.0
Update WinCC to V7.4 SP1 Upd 11
https://support.industry.siemens.com/cs/ww/en/view/109768093
SIMATIC PCS 7 >=9.0.0.0;
<9.0.2.0
Update WinCC to V7.4 SP1 Upd 11
https://support.industry.siemens.com/cs/ww/en/view/109768093
SIMATIC WinCC (TIA Portal) >=13.0.0;
<14.0.0
NO FIX
SIMATIC WinCC (TIA Portal)
All versions < V14 SP1 Upd 9
>=14.0.0.0;
<14.0.1.9
Update to V14 SP1 Upd 9
https://support.industry.siemens.com/cs/ww/en/view/109747387
SIMATIC WinCC (TIA Portal)
All versions < V15.1 Upd 3
>=15.0.0.0;
<15.1.0.3
Update to V15.1 Upd 3
https://support.industry.siemens.com/cs/ww/en/view/109763890
SIMATIC WinCC
Runtime Professional
All versions < V13
NO FIX
SIMATIC WinCC
Runtime Professional
All versions < V14.1 Upd 8
>=14.0.0.0;
<14.1.0.8
Update to V14.1 Upd 8
https://support.industry.siemens.com/cs/ww/en/view/109747394
SIMATIC WinCC
Runtime Professional
All versions < V15.1 Upd 3
>=15.0.0.0;
<15.1.0.3
Update to V15.1 Upd 3
https://support.industry.siemens.com/cs/ww/en/view/109763892
SIMATIC WinCC V7.2 and earlier
All versions
NO FIX
WinCC v7.3
All versions < V7.3 Upd 19
>=7.3.0.0;
<7.3.0.19
Update to V7.3 Upd 19
https://support.industry.siemens.com/cs/ww/en/view/109768972
WinCC v7.4
All versions < V7.4 SP1 Upd 11
>=7.4.0.0;
<7.4.1.11
Update to V7.4 SP1 Upd 11
https://support.industry.siemens.com/cs/ww/en/view/109768093
WinCC v7.5
All versions < V7.5 Upd 3
>=7.5.0.0;
<7.5.0.3
Update to V7.5 Upd 3
https://support.industry.siemens.com/cs/ww/en/view/109767227

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory updated

    26 January 2024

  • Kaspersky ICS CERT advisory published

    15 May 2019

  • Vendor releases patch

    May 2019

  • Vulnerabilities acknowledged by Vendor

    December 2018

  • Vulnerabilities reported

    December 2018