ICSA-17-045-03 Siemens SIMATIC Authentication Bypass (Update D)

Act Now9ICS-CERT ICSA-17-045-03Feb 13, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

An authentication bypass vulnerability exists in Siemens SIMATIC Logon and related HMI/automation products. The flaw allows an attacker on the network to bypass user authentication mechanisms and gain unauthorized access to SIMATIC engineering interfaces and HMI systems without valid credentials. Affected products include SIMATIC Logon, WinCC (both standard and Runtime Professional), PCS 7, PDM, and SIMATIC IT Production Suite. The vulnerability is a CWE-592 issue (authentication bypass). An attacker exploiting this could access process control logic, modify setpoints, change recipes, or disrupt production operations. Siemens has released patches for all affected product lines. Note that SIMATIC Logon updates can be installed independently of other component updates in many cases.

What this means

What could happen

An attacker who can reach a SIMATIC system over the network can bypass user authentication and gain access to HMI and engineering interfaces without valid credentials, allowing them to modify process configurations, operator setpoints, or halt production systems.

Who's at risk

Manufacturing facilities, chemical plants, and utilities that use Siemens SIMATIC automation systems for process control. Specifically affects operators and engineers who rely on SIMATIC Logon, WinCC HMI interfaces, WinCC Runtime Professional, PCS 7 process control systems, PDM device management, and IT Production Suite MES platforms. Any site running older versions of these products is at risk of unauthorized access to critical process systems.

How it could be exploited

An attacker on the network sends a crafted request to a SIMATIC Logon service or WinCC HMI interface that exploits an authentication bypass flaw. The vulnerable component fails to properly validate user credentials, allowing the attacker to access the system as if logged in. From there, they can interact with PLCs, modify setpoints, or download/upload process logic.

Prerequisites

Network access to the SIMATIC Logon service or WinCC HMI interface (typically TCP ports for engineering/HMI access)
The affected Siemens SIMATIC product version deployed in the environment
No user credentials required to trigger the bypass

Remotely exploitable over networkNo authentication required to bypassLow complexity attackAffects engineering/HMI access to production controlHigh CVSS score (9.0)

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC Logon<V1.5 SP3 Update 2V1.5_SP3_Update_2

SIMATIC WinCC<V7.4 SP1V7.4_SP1

SIMATIC WinCC Runtime Professional<V14 SP1V7.4_SP1

SIMATIC PCS 7<V8.2 SP1V8.2_SP1

SIMATIC PDM<V9.1V9.1

SIMATIC IT Production Suite<V7.1V7.1

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to SIMATIC HMI and engineering interfaces using firewall rules; limit access to trusted engineering workstations and operator terminals only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SIMATIC Logon

HOTFIXUpdate SIMATIC Logon to V1.5_SP3_Update_2 or later

SIMATIC WinCC

HOTFIXUpdate SIMATIC WinCC to V7.4_SP1 or later

HOTFIXUpdate SIMATIC WinCC Runtime Professional to V14_SP1 or later

SIMATIC PCS 7

HOTFIXUpdate SIMATIC PCS 7 to V8.2_SP1 or later

SIMATIC PDM

HOTFIXUpdate SIMATIC PDM to V9.1 or later

SIMATIC IT Production Suite

HOTFIXUpdate SIMATIC IT Production Suite to V7.1 or later

CVEs (1)

CVE-2017-2684

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63758edc-3fdd-4c5d-9ab9-3e2bb761b1b1