OTPulse

Siemens SIMATIC Software Products

Plan PatchCVSS 7.8ICS-CERT ICSA-21-194-05Jul 13, 2021
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability in multiple SIMATIC Software products allows manipulation of project files to inject and execute malicious code. The vulnerability affects SIMATIC PCS 7 (all versions 8.2 and earlier, and 9.0 before SP3), SIMATIC PDM (before version 9.2), SIMATIC STEP 7 V5.X (before version 5.6 SP2 HF3), and SINAMICS STARTER with STEP 7 OEM (before version 5.4 HF2). An attacker who can place a specially crafted project file where it will be opened on an engineering workstation can execute arbitrary code in the context of the engineering software user.

What this means
What could happen
An attacker with access to an engineering workstation could manipulate SIMATIC project files to inject malicious code, which would execute with the privileges of the engineering environment when the project is loaded, potentially altering control logic or plant operations.
Who's at risk
This affects organizations using Siemens SIMATIC engineering software for process control and automation, including process automation systems (PCS 7), device management (PDM), and PLC programming environments (STEP 7). Impacted equipment includes engineering workstations where control logic is developed and tested before deployment to PLCs and other ICS devices in plants.
How it could be exploited
An attacker must obtain access to a project file stored on or accessible from an engineering workstation running one of the affected SIMATIC software products. This could occur through a shared folder, email attachment, or compromised USB. When an authorized user opens the manipulated project file, the injected code executes during project import or compilation in the engineering environment.
Prerequisites
  • Local access to engineering workstation or access to shared project file storage
  • Affected SIMATIC software product installed (PCS 7, PDM, STEP 7, or SINAMICS STARTER)
  • User must open the malicious project file in the engineering software
Low complexity attackLocal access requiredNo authentication required to open project fileAffects engineering environment with high privilegesSIMATIC PCS 7 V8.2 and earlier have no fix available
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0<V9.0 SP39.0 SP3
SIMATIC PDM<V9.29.2
SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)
SIMATIC STEP 7 V5.X<V5.6 SP2 HF35.6 SP2 HF3
SINAMICS STARTER (containing STEP 7 OEM version)<V5.4 HF25.4 HF2
Remediation & Mitigation
0/7
Do now
0/1
WORKAROUNDOnly use project files from trusted sources; verify the origin and integrity of project files before opening them
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

SIMATIC PCS 7 V9.0
HOTFIXUpdate SIMATIC PCS 7 v9.0 to v9.0 SP3 or later
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to v9.2 or later
SIMATIC STEP 7 V5.X
HOTFIXUpdate SIMATIC STEP 7 V5.X to v5.6 SP2 HF3 or later
SINAMICS STARTER (containing STEP 7 OEM version)
HOTFIXUpdate SINAMICS STARTER (containing STEP 7 OEM version) to v5.4 HF2 or later
Mitigations - no patch available
0/2
SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor SIMATIC PCS 7 V8.2 and earlier versions with no fix available: restrict access to project files on engineering stations to trusted users and implement compensating controls
HARDENINGRestrict network access to engineering workstations; isolate engineering network from business network using firewalls and network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/05d18d51-df78-427b-ae4e-1c39236cef2d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.