Siemens SIMATIC ProSave, SIMATIC CFC, SIMATIC STEP 7, SIMOTION Scout, and STARTER Insufficiently Qualified Paths

Low RiskICS-CERT ICSA-15-064-02Dec 6, 2015

Siemens

Summary

Siemens SIMATIC ProSave, CFC, STEP 7, SIMOTION Scout, STARTER, and PCS 7 software use insufficiently qualified execution paths that allow injection of malicious code into automation projects. An attacker with access to an engineering workstation can modify project files, and when those projects are deployed to programmable logic controllers (PLCs) or SIMOTION motion controllers, the attacker's code executes with device privileges. This affects all versions of STEP 7 V5.5 SP3, PCS 7 V8.0 SP2, and multiple other legacy versions. Siemens has not released patches for any affected product version.

What this means

What could happen

An attacker who gains access to an engineering workstation running these affected tools could inject malicious code into automation projects that would execute on connected control devices, potentially altering process parameters or halting industrial operations.

Who's at risk

Process control engineers and operators at utilities, refineries, and water treatment facilities who use Siemens SIMATIC suite tools (STEP 7, CFC, ProSave, PCS 7) to program PLCs and SIMOTION motion controllers. This affects both programming and maintenance operations on critical automation infrastructure.

How it could be exploited

An attacker must first compromise or gain access to an engineering workstation running one of the affected Siemens tools (ProSave, CFC, STEP 7, SIMOTION Scout, or STARTER). The attacker exploits insufficiently qualified execution paths to inject malicious code into automation project files. When an engineer downloads or executes the compromised project on PLCs or SIMOTION controllers, the malicious code runs with the privileges of the control device, allowing command execution in the production environment.

Prerequisites

Network or physical access to an engineering workstation running affected Siemens software
Ability to modify or create automation project files (.awl, .scl, or proprietary project formats)
Target control device connected to the engineering network or accessible via project deployment

no patch availableaffects development/engineering toolsrequires engineering workstation compromiseimpacts integrity of industrial control logic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (15)

9 pending6 EOL

ProductAffected VersionsFix Status

CFC V8.0 SP4: <V8.0_SP4_Upd_9<V8.0 SP4 Upd 9No fix yet

CFC V8.1: <V8.1_Upd1<V8.1 Upd1No fix yet

STEP 7 V5.5 SP1: <V5.5_SP1_HF2<V5.5 SP1 HF2No fix yet

STEP 7 V5.5 SP2: <V5.5_SP2_HF7<V5.5 SP2 HF7No fix yet

STEP 7 V5.5 SP3: vers:all/*All versionsNo fix yet

STEP 7 V5.5 SP4: <V5.5_SP4_HF4<V5.5 SP4 HF4No fix yet

SIMATIC ProSave: <V13_SP1<V13 SP1No fix (EOL)

SIMOTION Scout: <V4.4<V4.4No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDReview and validate all automation project files before deploying to production controllers; use version control and code review procedures for project changes

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGRestrict access to engineering workstations running affected Siemens software to authorized personnel only; implement strong authentication and audit logging

HARDENINGIsolate engineering networks from production OT networks using air-gapping or strict firewall rules that block unexpected outbound connections from engineering workstations

HARDENINGMonitor engineering workstations for unauthorized modifications to automation project files using file integrity monitoring or baseline comparison tools

CVEs (1)

CVE-2015-1594

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0aa8e948-5ba0-424e-8170-d12400a49543

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.