OTPulse

ICSA-18-226-01 Siemens SIMATIC STEP 7 and SIMATIC WinCC (Update A)

Plan PatchCVSS 8.6ICS-CERT ICSA-18-226-01Aug 7, 2018
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) contain an improper permissions vulnerability in GSD (GSDML) file handling. An attacker with local access can craft a malicious GSD file that, when processed by the application, allows arbitrary code execution on the engineering workstation. Affected versions: STEP 7 and WinCC v10, v11, v12, v13 (all versions up to SP2 Update 2), v14 (up to SP1 Update 6), and v15 (up to Update 2). The vulnerability requires local access and user interaction but can compromise the engineering workstation, which is a critical entry point to plant networks.

What this means
What could happen
An attacker with local access to an engineering workstation running SIMATIC STEP 7 or WinCC can execute arbitrary code by crafting a malicious GSD (GSDML) file, potentially compromising the workstation and any connected industrial control systems.
Who's at risk
Engineering teams and automation integrators using SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) for configuring and monitoring Siemens PLCs and SCADA systems. This affects workstations used to develop, deploy, and maintain control logic for water treatment plants, electrical substations, manufacturing facilities, and other industrial processes.
How it could be exploited
An attacker crafts a malicious GSD file and either tricks a user into opening it or places it in a directory where the application automatically processes it. When the STEP 7 or WinCC application loads or validates the GSD file, the vulnerability is triggered, allowing arbitrary code execution on the engineering workstation with the privileges of the logged-in user.
Prerequisites
  • Local access to the engineering workstation running STEP 7 or WinCC
  • User interaction required (opening a malicious GSD file or application auto-processing a malicious GSD)
  • Write access to a directory where GSD files are stored or processed
Local attack vector onlyUser interaction requiredAffects engineering workstations (attack entry point for plant networks)Impacts software used across many critical infrastructure sectors
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12All versionsv13 SP2 Update 2 (upgrade required)
SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13<V13 SP2 Update 2v13 SP2 Update 2
SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14<V14 SP1 Update 6v14 SP1 Update 6
SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15<V15 Update 2v15 Update 2
Remediation & Mitigation
0/7
Do now
0/2
HARDENINGRestrict operating system access to STEP 7 and WinCC workstations to authorized engineering personnel only
WORKAROUNDOnly process and import GSD files from trusted vendors and established sources; verify file legitimacy before opening
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12
HOTFIXUpgrade SIMATIC STEP 7 and WinCC (TIA Portal) v10, v11, or v12 to v13 SP2 Update 2
HOTFIXUpdate SIMATIC STEP 7 and WinCC (TIA Portal) v13 to v13 SP2 Update 2
HOTFIXUpdate SIMATIC STEP 7 and WinCC (TIA Portal) v14 to v14 SP1 Update 6
HOTFIXUpdate SIMATIC STEP 7 and WinCC (TIA Portal) v15 to v15 Update 2
Long-term hardening
0/1
HARDENINGImplement network controls to restrict access to engineering workstations running STEP 7 and WinCC from untrusted networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/854fe2f8-902d-4f2f-8c2f-f4b06b2d1aa6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.