Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability

Monitor4.2ICS-CERT ICSA-16-348-04Sep 16, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A buffer overflow vulnerability exists in ActiveX controls used by SIMATIC WinCC (versions before 7.2) and SIMATIC PCS 7 (versions before 8.0_SP1). An attacker can trigger the overflow by crafting a malicious file or object that, when opened by a user in the affected application, could leak information from memory or cause the application to crash. The vulnerability requires user interaction and does not allow direct remote code execution without additional steps.

What this means

What could happen

An attacker with user interaction can cause an uncontrolled buffer to overflow in the ActiveX controls of WinCC or PCS 7, potentially leading to information disclosure or denial of service affecting the engineering workstations that manage process control systems.

Who's at risk

Engineering and control room staff who use Siemens SIMATIC WinCC or SIMATIC PCS 7 for process monitoring and configuration are affected. These applications are typically used in water/wastewater treatment, power generation, and manufacturing plants to manage and visualize industrial processes.

How it could be exploited

An attacker delivers a specially crafted file or object to a user and tricks them into opening it in WinCC or PCS 7 (requires user interaction). The malicious input triggers a buffer overflow in the vulnerable ActiveX control, which could leak memory contents or crash the application.

Prerequisites

User must be running a vulnerable version of WinCC (before 7.2) or PCS 7 (before 8.0_SP1)
User interaction required: victim must open a malicious file or object in the affected application
Attacker must deliver the crafted payload to the user (email, web, removable media)

Remotely exploitable via email or web deliveryUser interaction required (reduces immediate risk)No patch available (end-of-life products)Affects engineering workstations (indirect but important impact on operations)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC: <7.2<7.2No fix (EOL)

SIMATIC PCS 7: <8.0_SP1<8.0 SP1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDBlock or disable ActiveX controls in browsers and email clients on WinCC/PCS 7 workstations if not operationally required

WORKAROUNDEducate users not to open files from untrusted sources on engineering workstations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC WinCC: <7.2, SIMATIC PCS 7: <8.0_SP1. Apply the following compensating controls:

HARDENINGSegment engineering workstations running WinCC or PCS 7 from general IT networks and untrusted sources

HARDENINGMonitor for any available security updates from Siemens; no fix is currently planned, so implement compensating controls

CVEs (1)

CVE-2016-9160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0eeac42f-b233-4d2c-b2d0-1491db023603