Siemens SIMATIC WinCC and PCS
Monitor6.3ICS-CERT ICSA-22-041-02Feb 8, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Multiple information disclosure vulnerabilities in SIMATIC WinCC and PCS 7 could allow attackers with legitimate credentials to retrieve and brute force password hashes, potentially gaining unauthorized access to other systems. The vulnerabilities affect SIMATIC WinCC versions 7.4 through 17 and SIMATIC PCS 7 versions 8.2, 9.0, and 9.1. Exploitation requires local access or prior authentication to the application.
What this means
What could happen
An attacker with engineering credentials could extract password hashes from WinCC or PCS 7 servers, then brute force them offline to gain elevated access or compromise other connected systems in your control network.
Who's at risk
Water utilities and electric utilities operating Siemens SIMATIC control systems should evaluate this risk. Specifically: operators running SIMATIC PCS 7 v8.2, v9.0, or v9.1 for distributed control and supervision, and those running SIMATIC WinCC v7.4, v7.5, v15, v16, or v17 for human-machine interface and SCADA visualization across water treatment, distribution, and power generation facilities.
How it could be exploited
An attacker with valid credentials logs into SIMATIC WinCC or PCS 7, exploits the information disclosure vulnerability to retrieve stored password hashes from the application's database or memory, then uses offline brute force attacks to crack the passwords and reuse credentials to access other systems or maintain persistence in the control environment.
Prerequisites
- Valid engineering workstation credentials for WinCC or PCS 7
- Local or network access to the WinCC/PCS 7 application
- User must already be authenticated to the system
Requires valid credentialsLow complexity exploitation after access gainedMedium CVSS score (6.3)Affects credential storage in critical control system softwareNo patch available for PCS 7 v8.2
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V8.2All versionsNo fix (EOL)
SIMATIC PCS 7 V9.0All versions9.0 SP3 UpdateCollection04
SIMATIC PCS 7 V9.1<V9.1 SP19.1 SP1
SIMATIC WinCC V15 and earlier<V15 SP1 Update 715 SP1 Update 7
SIMATIC WinCC V16<V16 Update 516 Update 5
SIMATIC WinCC V17<V17 Update 217 Update 2
SIMATIC WinCC V17≥ V17 Update 2 <V17 Update 417 Update 4
SIMATIC WinCC V7.4<V7.4 SP1 Update 197.4 SP1 Update 19
Remediation & Mitigation
0/11
Do now
0/1HARDENINGRestrict local access to WinCC and PCS 7 application servers to trusted engineering personnel only; implement physical access controls and hardware locks on operator consoles
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC PCS 7 V8.2
HOTFIXSIMATIC PCS 7 v8.2: Install SIMATIC WinCC v7.4 SP1 Update 19 or later (end-of-life upgrade path)
SIMATIC PCS 7 V9.0
HOTFIXSIMATIC PCS 7 v9.0: Update to v9.0 SP3 UpdateCollection04 or later
SIMATIC PCS 7 V9.1
HOTFIXSIMATIC PCS 7 v9.1: Update to v9.1 SP1 or later
SIMATIC WinCC V7.4
HOTFIXSIMATIC WinCC v7.4: Update to v7.4 SP1 Update 19 or later
SIMATIC WinCC V7.5
HOTFIXSIMATIC WinCC v7.5: Update to v7.5 SP2 Update 6 or later
SIMATIC WinCC V16
HOTFIXSIMATIC WinCC v16: Update to v16 Update 5 or later
SIMATIC WinCC V17
HOTFIXSIMATIC WinCC v17: Update to v17 Update 4 or later
All products
HOTFIXSIMATIC WinCC v15: Update to v15 SP1 Update 7 or later
Mitigations - no patch available
0/2SIMATIC PCS 7 V8.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate WinCC and PCS 7 servers from untrusted networks; use firewalls to restrict administrative access to specific engineering subnets
HARDENINGEnforce strong password policies and multi-factor authentication for all WinCC and PCS 7 user accounts to increase difficulty of offline brute force attacks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6c635bca-0066-4ef4-8f95-14e1443ee473