OTPulse

Siemens SIMATIC, SINAMICS (Update C)

Plan PatchCVSS 7.8ICS-CERT ICSA-20-161-05Jun 9, 2020
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities in Siemens SIMATIC and SINAMICS products allow manipulation of project files to achieve remote code execution or denial of service. Affected products include SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER. The vulnerabilities exist in the software's handling of project file compilation and validation (CWE-427: Uncontrolled Search Path Element; CWE-122: Heap-based Buffer Overflow). Exploitation requires access to an engineering workstation and the ability to modify project files before they are compiled and deployed to controllers.

What this means
What could happen
An attacker who gains access to a Siemens engineering workstation could modify project files to inject malicious code, resulting in remote code execution on PLCs or SCADA systems, potentially causing unintended process changes or system shutdown.
Who's at risk
Siemens SIMATIC and SINAMICS engineering software users, particularly water utilities and electric utilities that rely on SIMATIC PCS 7 systems for SCADA operations, and any facility using SIMATIC STEP 7 for PLC programming. Affects engineering workstations, not field devices directly, but impacts safety and control integrity of connected PLCs and drives.
How it could be exploited
An attacker must first obtain access to an engineering workstation running vulnerable SIMATIC software (via social engineering, malware, or physical access). The attacker then modifies a project file stored locally or modifies files during transfer from a trusted source. When the engineering operator loads or compiles the manipulated project, the malicious code executes on the connected PLC or drive system.
Prerequisites
  • Local or network access to engineering workstation running vulnerable SIMATIC software
  • Ability to modify project files before they are compiled and loaded onto controllers
  • Engineering workstation must be connected to or have communication path to target PLC/SCADA system
Low complexity attackRequires local or workstation accessHigh impact on control systems if successfulLow patch adoption rate expected for legacy v8.2 (no fix available)Supply chain risk: files can be modified in transit
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0<V9.0 SP39.0 SP3
SIMATIC PDM<V9.29.2
SIMATIC STEP 7 V5.X<V5.6 SP2 HF35.6 SP2 HF3
SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)
SINAMICS STARTER (containing STEP 7 OEM version)<V5.4 HF25.4 HF2
Remediation & Mitigation
0/7
Do now
0/2
WORKAROUNDRestrict file system access on engineering workstations to trusted users only
WORKAROUNDOnly accept project files from known trusted sources; verify files before loading into engineering software
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V5.X
HOTFIXUpdate SIMATIC STEP 7 v5.X to v5.6 SP2 HF3 or later
SINAMICS STARTER (containing STEP 7 OEM version)
HOTFIXUpdate SINAMICS STARTER (containing STEP 7 OEM version) to v5.4 HF2 or later
SIMATIC PCS 7 V9.0
HOTFIXUpdate SIMATIC PCS 7 v9.0 to v9.0 SP3 or later (contact Siemens support for software distribution)
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to v9.2 or later
Mitigations - no patch available
0/1
SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate engineering workstations from general IT networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/8efb8f70-8c7a-42b3-b236-fb9928fc6276

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC, SINAMICS (Update C) | CVSS 7.8 - OTPulse