Siemens UMC Stack (Update H)

Monitor6.7ICS-CERT ICSA-20-196-05Jul 14, 2020

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

The Siemens UMC (Update Management Component) stack contains two security vulnerabilities affecting multiple Siemens industrial software products used on engineering workstations. The vulnerabilities could allow a user with administrative privileges on an engineering workstation to escalate to SYSTEM-level code execution, or trigger a partial denial-of-service condition affecting the UMC component. Affected products include SIMATIC STEP 7 (TIA Portal) versions 15 and 16, SIMOCODE ES, Soft Starter ES, Opcenter suite applications, SIMATIC IT Production Suite, SIMATIC IT LMS, and SIMATIC PCS neo. The vulnerabilities are tracked as CWE-428 (Uncontrolled Resource Consumption), CWE-400 (Uncontrolled Resource Consumption), and CWE-20 (Improper Input Validation).

What this means

What could happen

An attacker with local administrative privileges could escalate to SYSTEM-level code execution on engineering workstations running affected Siemens software, compromising the integrity of industrial control configurations. Additionally, a partial denial-of-service of the UMC component could disrupt software functionality on affected systems.

Who's at risk

Manufacturing organizations using Siemens industrial software on engineering workstations should care, particularly those running STEP 7 TIA Portal (v15 or v16), SIMOCODE ES, Soft Starter ES, Opcenter suite products, SIMATIC IT applications, or SIMATIC PCS neo. The vulnerability affects workstations used to design, configure, and maintain programmable logic controllers (PLCs), motor starters, and production execution systems. SIMATIC Notifier Server (all versions) has no patch available and requires workarounds.

How it could be exploited

An attacker with local administrator access to an engineering workstation running affected Siemens software (STEP 7 TIA Portal, SIMOCODE ES, Soft Starter ES, etc.) exploits the UMC component vulnerability to escalate from administrative user privileges to SYSTEM-level privileges. This allows execution of arbitrary code with the highest system privileges. The attacker could alternatively trigger a path traversal or resource exhaustion condition in the UMC component to cause partial denial-of-service.

Prerequisites

Local access to an engineering workstation running affected Siemens software
Administrator-level user privileges on the workstation
UMC component must be installed and running

Low complexity exploitationRequires local administrative access (but escalates privileges)Affects engineering workstation software used to control plant operationsNo patch available for SIMATIC Notifier Server for WindowsPrivilege escalation to SYSTEM level

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (16)

15 with fix1 EOL

ProductAffected VersionsFix Status

Opcenter Quality<V11.311.3

Opcenter RD&LV8.08.1

SIMATIC PCS neo<V3.0 SP13.0 SP1

SIMATIC STEP 7 (TIA Portal) V15<V15.1 Update 515.1 Update 5

SIMATIC STEP 7 (TIA Portal) V16<V16 Update 216 Update 2

Remediation & Mitigation

0/16

Do now

0/2

WORKAROUNDRemove or rename executable files at C:\Program.exe, C:\Program Files\Common.exe, and C:\Program Files\Common Files\Siemens\Automation\Simatic.exe to prevent CVE-2020-7581 exploitation (applicable if SIMATIC Notifier Server is in use)

HARDENINGRun affected software only on systems within trusted networks with no untrusted local user access

Schedule — requires maintenance window

0/13

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

SIMATIC Notifier Server for Windows has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network access controls and restrict connectivity to engineering workstations to authorized IT and operations personnel

CVEs (3)

CVE-2020-7581 CVE-2020-7587 CVE-2020-7588

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close