OTPulse

Siemens SIMATIC Process Historian

Plan PatchCVSS 9.8ICS-CERT ICSA-21-287-09Oct 12, 2021
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC Process Historian contains an authentication bypass vulnerability in the configuration interface of redundant instances. An unauthenticated attacker with network access can execute administrative database operations on the PH system. The vulnerability affects versions 2013 and earlier (all versions), 2014 prior to SP3 Update 6, 2019 (all versions), and 2020 prior to Update 2. Siemens has released a patch for 2020 Update 2. For unpatched versions, Siemens recommends disabling redundancy service firewall rules or restricting them to trusted server IPs, and isolating PH systems from untrusted networks.

What this means
What could happen
An attacker with network access to the redundancy configuration interface could bypass authentication and execute database administration commands, potentially disrupting data collection or altering historical records in water treatment or power distribution operations.
Who's at risk
Water utilities and electric utilities using Siemens SIMATIC Process Historian for operational data logging and redundancy. This affects any organization with redundant PH deployments (Master/Standby/Mirror configurations) that handle process historian data for water treatment, distribution, or power generation systems.
How it could be exploited
An attacker on the network sends unauthenticated requests to the SIMATIC Process Historian redundancy configuration interface (port typically used by PH Redundancy Services or PH Wcf MessageQueue services). The vulnerability allows the attacker to perform admin operations on the connected database without valid credentials, potentially reading, modifying, or deleting operational history data.
Prerequisites
  • Network access to SIMATIC Process Historian redundancy services ports (PH Redundancy Services, PH Wcf MessageQueue Service, SQL Mirroring ports TCP/UDP)
  • Redundancy configuration enabled on the PH instance
  • No network firewall rules blocking access to the vulnerable services
Remotely exploitableNo authentication required for vulnerable interfaceLow complexity attackAffects data integrity and availability of operational historyMultiple versions have no patch available (2013, early 2014, 2019)
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC Process Historian 2020All versions2020 Update 2
SIMATIC Process Historian 2013 and earlierAll versionsNo fix (EOL)
SIMATIC Process Historian 2019All versionsNo fix (EOL)
SIMATIC Process Historian 2014<SP3 Update 6SP3 Update 6
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable incoming Windows firewall rules for PH Redundancy Services, PH Wcf MessageQueue Service (RedundancyMaintenanceService, SqlMirroringSetup, MaintenanceService), and PH SQL-Server Mirroring Port (UDP and TCP) if redundancy is not in use
WORKAROUNDRestrict firewall rules for redundancy services to allow traffic only from known Master, Standby, and Mirror server IP addresses
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

SIMATIC Process Historian 2014
HOTFIXUpdate SIMATIC Process Historian 2014 to SP3 Update 6 or later
SIMATIC Process Historian 2013 and earlier
HOTFIXUpgrade SIMATIC Process Historian 2013 and earlier to a newer version (2014 SP3 Update 6 or later; note that 2019 and 2020 versions have separate vulnerabilities)
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMATIC Process Historian 2013 and earlier, SIMATIC Process Historian 2019. Apply the following compensating controls:
HARDENINGIsolate SIMATIC Process Historian systems from the business network and the Internet using network segmentation and firewalls
View full CISA ICS-CERT advisory
API: /api/v1/advisories/509a1d6c-1f96-4920-a57a-b64c86643807

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC Process Historian | CVSS 9.8 - OTPulse