Siemens SIMATIC, SINAMICS (Update C)

Plan Patch7.8ICS-CERT ICSA-20-161-05Jun 9, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens SIMATIC and SINAMICS products allow manipulation of project files to achieve remote code execution or denial of service. Affected products include SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER. The vulnerabilities exist in the software's handling of project file compilation and validation (CWE-427: Uncontrolled Search Path Element; CWE-122: Heap-based Buffer Overflow). Exploitation requires access to an engineering workstation and the ability to modify project files before they are compiled and deployed to controllers.

What this means

What could happen

An attacker who gains access to a Siemens engineering workstation could modify project files to inject malicious code, resulting in remote code execution on PLCs or SCADA systems, potentially causing unintended process changes or system shutdown.

Who's at risk

Siemens SIMATIC and SINAMICS engineering software users, particularly water utilities and electric utilities that rely on SIMATIC PCS 7 systems for SCADA operations, and any facility using SIMATIC STEP 7 for PLC programming. Affects engineering workstations, not field devices directly, but impacts safety and control integrity of connected PLCs and drives.

How it could be exploited

An attacker must first obtain access to an engineering workstation running vulnerable SIMATIC software (via social engineering, malware, or physical access). The attacker then modifies a project file stored locally or modifies files during transfer from a trusted source. When the engineering operator loads or compiles the manipulated project, the malicious code executes on the connected PLC or drive system.

Prerequisites

Local or network access to engineering workstation running vulnerable SIMATIC software
Ability to modify project files before they are compiled and loaded onto controllers
Engineering workstation must be connected to or have communication path to target PLC/SCADA system

Low complexity attackRequires local or workstation accessHigh impact on control systems if successfulLow patch adoption rate expected for legacy v8.2 (no fix available)Supply chain risk: files can be modified in transit

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC PCS 7 V9.0<V9.0 SP39.0 SP3

SIMATIC PDM<V9.29.2

SIMATIC STEP 7 V5.X<V5.6 SP2 HF35.6 SP2 HF3

SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)

SINAMICS STARTER (containing STEP 7 OEM version)<V5.4 HF25.4 HF2

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict file system access on engineering workstations to trusted users only

WORKAROUNDOnly accept project files from known trusted sources; verify files before loading into engineering software

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V5.X

HOTFIXUpdate SIMATIC STEP 7 v5.X to v5.6 SP2 HF3 or later

SINAMICS STARTER (containing STEP 7 OEM version)

HOTFIXUpdate SINAMICS STARTER (containing STEP 7 OEM version) to v5.4 HF2 or later

SIMATIC PCS 7 V9.0

HOTFIXUpdate SIMATIC PCS 7 v9.0 to v9.0 SP3 or later (contact Siemens support for software distribution)

SIMATIC PDM

HOTFIXUpdate SIMATIC PDM to v9.2 or later

Mitigations - no patch available

0/1

SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations from general IT networks

CVEs (2)

CVE-2020-7585 CVE-2020-7586

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8efb8f70-8c7a-42b3-b236-fb9928fc6276