ICSA-19-192-02 Siemens SIMATIC WinCC and PCS7 (Update C)

Plan Patch7.2ICS-CERT ICSA-19-192-02Jul 9, 2019

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIMATIC WinCC and PCS 7 contain an improper file upload validation vulnerability (CWE-434) that allows an attacker with engineering credentials to upload and execute malicious files on the HMI runtime or process control engineering environment. The vulnerability is present across multiple product lines and versions. Siemens has released patches for newer versions (WinCC v7.3 Upd 19, v7.4 SP1 Upd 11, v7.5 Upd 3, and corresponding PCS 7 variants), but older versions (WinCC v7.2 and earlier, PCS 7 v8.0 and earlier, and TIA Portal v13) will not receive fixes.

What this means

What could happen

An attacker with engineering credentials could upload malicious files to WinCC or PCS 7 runtime environments, potentially executing code that alters process control logic, changes operator interface displays, or disrupts plant operations.

Who's at risk

Operators and engineers at water utilities, power plants, and other critical infrastructure using Siemens SIMATIC WinCC (all versions 7.2–7.5) and SIMATIC PCS 7 (versions 8.0–9.0) for supervisory control and human–machine interfaces. This affects both standalone WinCC installations and WinCC components embedded in PCS 7 process control systems.

How it could be exploited

An attacker with valid engineering workstation credentials uploads a crafted file (improper file type validation) through the WinCC/PCS 7 engineering interface or runtime console. The file is accepted and executed by the supervisory control system, allowing code execution in the context of the runtime environment.

Prerequisites

Valid engineering workstation credentials (administrator or engineering user account)
Network access to the WinCC or PCS 7 engineering interface or runtime management console
Knowledge of the target product version and file upload mechanisms

Requires valid engineering credentials (reduces but does not eliminate risk in environments with poor credential hygiene)No patch available for several versions (v8.0 and earlier PCS 7, v7.2 and earlier WinCC, v13 TIA Portal)Affects HMI and process control systems critical to plant availabilityFile upload validation weakness could be exploited post-compromise if engineering accounts are compromised

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (14)

10 with fix4 EOL

ProductAffected VersionsFix Status

SIMATIC PCS 7 V9.0<V9.0 SP2 with WinCC V7.4 SP1 Upd11V9.0 SP2 with WinCC V7.4 SP1 Upd 11

SIMATIC WinCC V7.4<V7.4 SP1 Upd 11V7.4 SP1 Upd 11

SIMATIC PCS 7 V8.0 and earlierAll versionsNo fix (EOL)

SIMATIC PCS 7 V8.1<V8.1 with WinCC V7.3 Upd 19V8.1 with WinCC V7.3 Upd 19

SIMATIC PCS 7 V8.2<V8.2 SP1 with WinCC V7.4 SP1 Upd 11V8.2 SP1 with WinCC V7.4 SP1 Upd 11

SIMATIC WinCC Professional (TIA Portal V13)All versionsNo fix (EOL)

SIMATIC WinCC Professional (TIA Portal V14)<V14 SP1 Upd 9V14 SP1 Upd 9

SIMATIC WinCC Professional (TIA Portal V15)<V15.1 Upd 3V15.1 Upd 3

Remediation & Mitigation

0/13

Do now

0/1

WORKAROUNDRestrict network access to WinCC and PCS 7 engineering interfaces and runtime consoles using firewall rules; allow only trusted engineering workstations

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC PCS 7 V8.0 and earlier, SIMATIC WinCC Professional (TIA Portal V13), SIMATIC WinCC Runtime Professional V13, SIMATIC WinCC V7.2 and earlier. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from the business network and the Internet

HARDENINGUse defense-in-depth strategy: apply Siemens operational guidelines for industrial security and follow product security manuals

CVEs (1)

CVE-2019-10935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close