Siemens TIA Portal (Update F)

Plan Patch7.8ICS-CERT ICSA-20-014-05Jan 16, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A local privilege escalation vulnerability in Siemens TIA Portal versions 14, 15 (before Update 7), 16 (before Update 6), and 17 (before Update 4) allows a user with local access to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the TraceEngine component located in C:\\ProgramData\\Siemens\\Automation. An attacker with local user-level access could exploit improper file permission handling to write malicious code that executes with system-level privileges. TIA Portal v14 does not have a vendor fix available. Partial mitigations exist for some earlier versions, but full fixes require updating to the specified patched versions.

What this means

What could happen

A local attacker with user-level access to an engineering workstation running TIA Portal could execute arbitrary code with SYSTEM privileges, potentially allowing them to modify control logic, plant configurations, or other safety-critical data on the workstation.

Who's at risk

Engineering and automation teams using TIA Portal on workstations for PLC and process automation programming. Siemens automation engineers designing or maintaining control logic for industrial processes depend on TIA Portal. TIA Portal is typically used on isolated engineering workstations that have access to your automation network and control system PLCs.

How it could be exploited

An attacker with local access to a TIA Portal workstation exploits a path traversal or privilege escalation flaw in the TraceEngine component to write malicious code to files in the TraceEngine folder. When TIA Portal or Windows processes those files with SYSTEM privileges, the attacker's code executes with full system access.

Prerequisites

Local access to the engineering workstation running TIA Portal
User-level (non-administrative) account on the workstation
Write access to files or folders below the TraceEngine folder (default: C:\ProgramData\Siemens\Automation)
Affected version of TIA Portal installed (v14, v15 before Update 7, v16 before Update 6, or v17 before Update 4)

Local access required (not remotely exploitable)Low authentication complexity (user-level account sufficient)Affects engineering development environmentTIA Portal v14 has no patch available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

TIA Portal v15: All< 15.1 | 715.1 Update 7

TIA Portal v17: All< 17 | 417 Update 4

TIA Portal v16: All< 16 | 616 Update 6

TIA Portal v14: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRemove write permissions for all non-administrative users on files and folders located below the TraceEngine folder (typically C:\ProgramData\Siemens\Automation)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TIA Portal v15 to version 15.1 Update 7 or later

HOTFIXUpdate TIA Portal v16 to version 16 Update 6 or later

HOTFIXUpdate TIA Portal v17 to version 17 Update 4 or later

Mitigations - no patch available

0/2

TIA Portal v14: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict physical and network access to engineering workstations running TIA Portal to authorized personnel only

HARDENINGEnsure workstations are configured with strong local access controls and account policies

CVEs (1)

CVE-2019-10934

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/946031d3-d627-4804-8005-8994782ec3e5