Siemens SIMATIC ProSave, SIMATIC CFC, SIMATIC STEP 7, SIMOTION Scout, and STARTER Insufficiently Qualified Paths
Low RiskICS-CERT ICSA-15-064-02Dec 6, 2015
Summary
Siemens SIMATIC ProSave, CFC, STEP 7, SIMOTION Scout, STARTER, and PCS 7 software use insufficiently qualified execution paths that allow injection of malicious code into automation projects. An attacker with access to an engineering workstation can modify project files, and when those projects are deployed to programmable logic controllers (PLCs) or SIMOTION motion controllers, the attacker's code executes with device privileges. This affects all versions of STEP 7 V5.5 SP3, PCS 7 V8.0 SP2, and multiple other legacy versions. Siemens has not released patches for any affected product version.
What this means
What could happen
An attacker who gains access to an engineering workstation running these affected tools could inject malicious code into automation projects that would execute on connected control devices, potentially altering process parameters or halting industrial operations.
Who's at risk
Process control engineers and operators at utilities, refineries, and water treatment facilities who use Siemens SIMATIC suite tools (STEP 7, CFC, ProSave, PCS 7) to program PLCs and SIMOTION motion controllers. This affects both programming and maintenance operations on critical automation infrastructure.
How it could be exploited
An attacker must first compromise or gain access to an engineering workstation running one of the affected Siemens tools (ProSave, CFC, STEP 7, SIMOTION Scout, or STARTER). The attacker exploits insufficiently qualified execution paths to inject malicious code into automation project files. When an engineer downloads or executes the compromised project on PLCs or SIMOTION controllers, the malicious code runs with the privileges of the control device, allowing command execution in the production environment.
Prerequisites
- Network or physical access to an engineering workstation running affected Siemens software
- Ability to modify or create automation project files (.awl, .scl, or proprietary project formats)
- Target control device connected to the engineering network or accessible via project deployment
no patch availableaffects development/engineering toolsrequires engineering workstation compromiseimpacts integrity of industrial control logic
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (15)
9 pending6 EOL
ProductAffected VersionsFix Status
CFC V8.0 SP4: <V8.0_SP4_Upd_9<V8.0 SP4 Upd 9No fix yet
CFC V8.1: <V8.1_Upd1<V8.1 Upd1No fix yet
STEP 7 V5.5 SP1: <V5.5_SP1_HF2<V5.5 SP1 HF2No fix yet
STEP 7 V5.5 SP2: <V5.5_SP2_HF7<V5.5 SP2 HF7No fix yet
STEP 7 V5.5 SP3: vers:all/*All versionsNo fix yet
STEP 7 V5.5 SP4: <V5.5_SP4_HF4<V5.5 SP4 HF4No fix yet
SIMATIC ProSave: <V13_SP1<V13 SP1No fix (EOL)
SIMOTION Scout: <V4.4<V4.4No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDReview and validate all automation project files before deploying to production controllers; use version control and code review procedures for project changes
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGRestrict access to engineering workstations running affected Siemens software to authorized personnel only; implement strong authentication and audit logging
HARDENINGIsolate engineering networks from production OT networks using air-gapping or strict firewall rules that block unexpected outbound connections from engineering workstations
HARDENINGMonitor engineering workstations for unauthorized modifications to automation project files using file integrity monitoring or baseline comparison tools
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0aa8e948-5ba0-424e-8170-d12400a49543