OTPulse

Siemens SIMATIC STEP 7 (TIA Portal)

MonitorCVSS 6.4ICS-CERT ICSA-22-104-14Apr 12, 2022
Siemens
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary

An attacker with access to SIMATIC STEP 7 (TIA Portal) could achieve privilege escalation on the web server of S7-1200 and S7-1500 PLCs (including ET200 and SIPLUS variants) due to incorrect handling of web server user management configuration during program download. When a vulnerable version of TIA Portal (V15 all versions, V16 before Update 5, or V17 before Update 2) is used to configure web server user permissions and download the configuration to the PLC, the web server may accept unauthenticated requests that should require authentication. This only affects PLCs with the web server feature activated.

What this means
What could happen
An attacker with access to download program changes to an S7-1200 or S7-1500 PLC could enable unauthenticated access to the device's web server, allowing them to view or manipulate process parameters without authentication. This requires local or network access to the engineering environment and legitimate access to TIA Portal.
Who's at risk
Water utilities and power generation facilities using Siemens S7-1200 or S7-1500 automation controllers (including ET200 variants) with web server interfaces enabled in their SCADA or process control systems. Primarily affects engineering teams managing these systems through TIA Portal, and impacts any operational PLCs that may have been configured with vulnerable TIA Portal versions.
How it could be exploited
An attacker must have access to the TIA Portal engineering software and the ability to connect to and modify a PLC project for S7-1200 or S7-1500 series. They create or modify the web server user configuration in a vulnerable version of TIA Portal, then download the configuration to the PLC. The misconfiguration results in the web server accepting unauthenticated requests that should require authentication, bypassing access controls to operator interfaces and diagnostic functions.
Prerequisites
  • Access to SIMATIC STEP 7 (TIA Portal) on an engineering workstation
  • Ability to connect to and modify a PLC project targeting S7-1200 or S7-1500 CPUs
  • PLC must have web server feature activated
  • Using TIA Portal V15, V16 (before Update 5), or V17 (before Update 2)
Privilege escalation on PLC web serverAuthentication bypass on critical control systemsNo fix available for TIA Portal V15Requires legitimate engineering access but could enable unauthorized operational access
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
2 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC STEP 7 (TIA Portal) V16<V16 Update 516 Update 5
SIMATIC STEP 7 (TIA Portal) V17<V17 Update 217 Update 2
SIMATIC STEP 7 (TIA Portal) V15All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
SIMATIC STEP 7 (TIA Portal) V16
WORKAROUNDFor V15 users: If unauthenticated access is detected, delete the PLC and reconfigure using a newer TIA Portal version or reconfigure web server settings without downloading web server changes
All products
WORKAROUNDFor V15 users: After any web server user configuration changes, validate web server permissions by accessing the web server unauthenticated to confirm no unintended access exists
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 (TIA Portal) V16
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V16 to Update 5 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V17 to Update 2 or later
Mitigations - no patch available
0/2
SIMATIC STEP 7 (TIA Portal) V15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict network access to PLC web servers using firewall rules; only permit connections from authorized engineering workstations and operator consoles
HARDENINGPlace PLC networks behind firewalls and isolate from business network and Internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f44ac14e-00e4-4d24-9f5d-a20241c1b428

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC STEP 7 (TIA Portal) | CVSS 6.4 - OTPulse