Siemens Updates STEP 7, WinCC Holes

Tuesday, August 14, 2018 @ 11:08 AM gHale

Siemens has an update for its SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) that fixes two vulnerabilities, according to a report with Siemens ProductCERT.

The vulnerabilities could either allow an attacker with local file write access to manipulate files and cause a denial-of-service (DoS) or execute code on the manipulated installation and on devices configured using the manipulated installation.

RELATED STORIES
NetComm Fixes Wireless Router Holes
Crestron Updates TSW-X60, MC3 Firmware
Delta Electronics Fixes 2 Holes
Medtronic Not Updating Insulin Pump Holes

The Totally Integrated Automation Portal (TIA Portal) is PC software that provides unrestricted access to the complete range of Siemens digitalized automation services, from digital planning and integrated engineering to transparent operation. Younes Dragoni from Nozomi Networks discovered the vulnerability.

Affected products include:
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12: All versions
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13: All versions
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14: All versions less than V14 SP1 Update 6
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15: All versions less than V15 Update 2

In one vulnerability, an improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially crafted files which may prevent TIA Portal startup (DoS) or lead to local code execution. No special privileges are required, but the victim needs to attempt to start TIA Portal after the manipulation.

The vulnerability has a CVSS base score of 7.8. At the time of advisory publication no public exploitation of this security vulnerability was known.

In another vulnerability, an improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources which may be transferred to devices and executed there by a different user. No special privileges are required, but the victim needs to transfer the manipulated files to a device. Execution is caused on the target device rather than on the PG device.

This has a CVSS base score 8.6. At the time of advisory publication no public exploitation of this security vulnerability was known.

Siemens identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
• Restrict operating system access to authorized personnel
• Validate GSD files for legitimacy and process GSD files only from trusted sources

Siemens recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security.

Click here for additional information on Industrial Security by Siemens.



Leave a Reply

You must be logged in to post a comment.