ICSA-18-018-01A Siemens SIMATIC WinCC Add-On (Update A)

Act Now9.8ICS-CERT ICSA-18-018-01AJan 18, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple SIMATIC WinCC Add-on modules are vulnerable to buffer overflow in the License Manager component. The vulnerability exists in modules including Historian CONNECT ALARM, PI CONNECT series, and the PM-series (PM-AGENT, PM-ANALYZE, PM-CONTROL, PM-MAINT, and PM-OPEN variants), as well as SICEMENT and SIPAPER IT MIS modules. A remote attacker can send a malformed packet to trigger a buffer overflow and execute arbitrary code with application privileges. The License Manager service typically listens on port 4410. Affected versions include all instances of the listed modules up to the specified version numbers. Siemens has not provided firmware patches for these products but recommends updating the underlying License Manager software.

What this means

What could happen

Buffer overflow vulnerability in SIMATIC WinCC Add-on License Manager allows remote attackers to execute arbitrary code without authentication on the WinCC server, potentially compromising plant control systems and operations.

Who's at risk

Transportation authorities and any organizations operating Siemens SIMATIC WinCC systems with the listed Add-on modules (Historian, PM-series, and audit modules). This affects supervisory control stations that use these monitoring, data collection, and licensing add-ons.

How it could be exploited

An attacker on the network sends a specially crafted packet to the License Manager service (port 4410 by default) running on the WinCC server. The packet triggers a buffer overflow in memory handling, allowing the attacker to execute arbitrary commands with WinCC application privileges.

Prerequisites

Network access to WinCC License Manager service (typically port 4410)
No authentication required
Affected WinCC Add-on versions must be installed and active

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)buffer overflow memory corruptionno patch available for most products

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC Add-On Historian CONNECT ALARM≤ V5.xNo fix (EOL)

SIMATIC WinCC Add-On PI CONNECT ALARM≤ V2.xNo fix (EOL)

SIMATIC WinCC Add-On PM-AGENT≤ V5.xNo fix (EOL)

SIMATIC WinCC Add-On PM-ANALYZE≤ V7.xNo fix (EOL)

SIMATIC WinCC Add-On PM-CONTROL≤ V10.xNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXUpdate License Manager software to patched version from Gemalto support portal

WORKAROUNDIf License Manager patch is unavailable or cannot be deployed, restrict network access to WinCC License Manager service (port 4410) to trusted engineering networks only using firewall rules

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC WinCC Add-On Historian CONNECT ALARM, SIMATIC WinCC Add-On PI CONNECT ALARM, SIMATIC WinCC Add-On PM-AGENT, SIMATIC WinCC Add-On PM-ANALYZE, SIMATIC WinCC Add-On PM-CONTROL, SIMATIC WinCC Add-On PM-MAINT, SIMATIC WinCC Add-On PM-OPEN EXPORT, SIMATIC WinCC Add-On PM-OPEN IMPORT, SIMATIC WinCC Add-On PM-OPEN PI, SIMATIC WinCC Add-On PM-OPEN PV02, SIMATIC WinCC Add-On PM-OPEN TCP/IP, SIMATIC WinCC Add-On PM-QUALITY, SIMATIC WinCC Add-On SICEMENT IT MIS, SIMATIC WinCC Add-On PI CONNECT AUDIT TRAIL, SIMATIC WinCC Add-On PM-OPEN HOST-S, SIMATIC WinCC Add-On SIPAPER IT MIS. Apply the following compensating controls:

HARDENINGPlace WinCC servers on a segmented network separate from production control networks to limit attacker movement if compromise occurs

CVEs (8)

CVE-2017-11496 CVE-2017-11497 CVE-2017-11498 CVE-2017-12818 CVE-2017-12819 CVE-2017-12820 CVE-2017-12821 CVE-2017-12822

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a17c48c-5817-4f52-aad8-fc90934bc57a