Siemens Opcenter Execution Core (Update B)
Plan Patch8.5ICS-CERT ICSA-20-196-07Jul 14, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Siemens Opcenter Execution Core and Camstar Enterprise Platform contain multiple input validation vulnerabilities (XSS injection, SQL injection) and authentication/authorization flaws (CWE-284, CWE-522) that allow authenticated users to execute arbitrary code or bypass access controls within the application. All versions of Camstar Enterprise Platform are affected. Opcenter Execution Core versions below 8.4 are vulnerable. The vulnerabilities permit authenticated attackers to inject malicious scripts and SQL commands to compromise data confidentiality and integrity.
What this means
What could happen
An authenticated attacker or compromised user account could inject malicious code into the Opcenter interface to view sensitive manufacturing data, modify production orders, or tamper with system configurations that control plant operations. An attacker could also bypass authorization controls to access restricted functionality.
Who's at risk
Manufacturing operations managers and plant engineers using Siemens Opcenter Execution Core or Camstar Enterprise Platform for production planning, batch tracking, and order management. This affects facilities across discrete manufacturing, food & beverage, pharmaceutical, and chemical industries that rely on these MES (Manufacturing Execution Systems) platforms for shop floor control.
How it could be exploited
An attacker with valid credentials to the Opcenter or Camstar web interface could inject XSS payload or SQL commands through input fields. The application fails to sanitize these inputs, allowing the attacker to execute arbitrary JavaScript in other users' browsers or query/modify the backend database. This requires network access to the application web server and valid user authentication.
Prerequisites
- Network access to Opcenter/Camstar web server (typically port 80/443)
- Valid user credentials (engineering or operator account)
- User interaction not required once authenticated (stored XSS or direct SQL injection possible)
Remotely exploitable over networkRequires valid credentials but low authentication bar (operator-level access)Low complexity exploitation (standard XSS/SQLi techniques)No patch available for Camstar or Opcenter versions <8.4Affects data integrity and confidentiality of manufacturing operations
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
Opcenter Execution Core: All<V8.28.4 or later
Camstar Enterprise Platform: All versionsAll versionsNo fix (EOL)
Opcenter Execution Core: V8.2V8.28.4 or later
Opcenter Execution Core: V8.3V8.38.4 or later
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDFor Camstar Enterprise Platform (no fix available): Configure a Web Application Firewall (WAF) to detect and block XSS and SQL injection payloads in HTTP traffic to the application
WORKAROUNDRestrict network access to the Opcenter/Camstar web server to trusted engineering and operator workstations only using firewall rules or VPN access
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Opcenter Execution Core to version 8.4 or later
Mitigations - no patch available
0/3Camstar Enterprise Platform: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the MES platform from general corporate IT and the internet
HARDENINGEnforce strong password policies and multi-factor authentication for all accounts accessing Opcenter/Camstar to limit impact of credential compromise
HARDENINGMonitor access logs and web server activity for signs of XSS/SQL injection attempts
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/acc14277-5e9b-4b76-8a03-b85af4e23cbe