OTPulse

Siemens TIA Portal (Update F)

Plan PatchCVSS 7.8ICS-CERT ICSA-20-014-05Jan 14, 2020
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A local privilege escalation vulnerability in Siemens TIA Portal versions 14, 15 (before Update 7), 16 (before Update 6), and 17 (before Update 4) allows a user with local access to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the TraceEngine component located in C:\\ProgramData\\Siemens\\Automation. An attacker with local user-level access could exploit improper file permission handling to write malicious code that executes with system-level privileges. TIA Portal v14 does not have a vendor fix available. Partial mitigations exist for some earlier versions, but full fixes require updating to the specified patched versions.

What this means
What could happen
A local attacker with user-level access to an engineering workstation running TIA Portal could execute arbitrary code with SYSTEM privileges, potentially allowing them to modify control logic, plant configurations, or other safety-critical data on the workstation.
Who's at risk
Engineering and automation teams using TIA Portal on workstations for PLC and process automation programming. Siemens automation engineers designing or maintaining control logic for industrial processes depend on TIA Portal. TIA Portal is typically used on isolated engineering workstations that have access to your automation network and control system PLCs.
How it could be exploited
An attacker with local access to a TIA Portal workstation exploits a path traversal or privilege escalation flaw in the TraceEngine component to write malicious code to files in the TraceEngine folder. When TIA Portal or Windows processes those files with SYSTEM privileges, the attacker's code executes with full system access.
Prerequisites
  • Local access to the engineering workstation running TIA Portal
  • User-level (non-administrative) account on the workstation
  • Write access to files or folders below the TraceEngine folder (default: C:\ProgramData\Siemens\Automation)
  • Affected version of TIA Portal installed (v14, v15 before Update 7, v16 before Update 6, or v17 before Update 4)
Local access required (not remotely exploitable)Low authentication complexity (user-level account sufficient)Affects engineering development environmentTIA Portal v14 has no patch available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (8)
6 with fix2 EOL
ProductAffected VersionsFix Status
TIA Portal V15< V15.1 Update 715.1 Update 7
TIA Portal V16< V16 Update 616 Update 6
TIA Portal V17< V17 Update 417 Update 4
TIA Portal V14All versionsNo fix (EOL)
TIA Portal v15: All< 15.1 | 715.1 Update 7
TIA Portal v17: All< 17 | 417 Update 4
TIA Portal v16: All< 16 | 616 Update 6
TIA Portal v14: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRemove write permissions for all non-administrative users on files and folders located below the TraceEngine folder (typically C:\ProgramData\Siemens\Automation)
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

TIA Portal V15
HOTFIXUpdate TIA Portal v15 to version 15.1 Update 7 or later
TIA Portal V16
HOTFIXUpdate TIA Portal v16 to version 16 Update 6 or later
TIA Portal V17
HOTFIXUpdate TIA Portal v17 to version 17 Update 4 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: TIA Portal V14, TIA Portal v14: All versions. Apply the following compensating controls:
HARDENINGRestrict physical and network access to engineering workstations running TIA Portal to authorized personnel only
HARDENINGEnsure workstations are configured with strong local access controls and account policies
View full CISA ICS-CERT advisory
API: /api/v1/advisories/946031d3-d627-4804-8005-8994782ec3e5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.