Siemens Industrial Products
Plan Patch7.5ICS-CERT ICSA-22-132-12May 10, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the OPC Foundation Local Discovery Server (LDS) affects multiple Siemens industrial software products. The vulnerability is a buffer overflow (CWE-119) that can cause a denial of service condition when the LDS service receives specially crafted network input. The OPC Local Discovery Server is used by engineering workstations, HMI/SCADA servers, and historian services for device discovery and communication. Affected products include OpenPCS 7, SIMATIC NET PC Software (versions 14–17), SIMATIC WinCC, SIMATIC Process Historian OPC UA Server, and TeleControl Server Basic. Siemens has released patches for most products, but OpenPCS 7 v9.1 and SIMATIC NET PC Software v15 have no fix available.
What this means
What could happen
A denial of service vulnerability in the OPC Local Discovery Server could crash engineering workstations, HMI servers, or historian services, disrupting real-time monitoring and control of industrial processes. Depending on which product is affected, this could prevent operators from viewing process data or controlling PLCs until the service recovers.
Who's at risk
Manufacturing facilities using Siemens engineering and HMI products should prioritize this issue. Affected systems include: OpenPCS 7 (all versions), SIMATIC NET PC Software for engineering workstations, SIMATIC WinCC and WinCC Runtime Professional (HMI/SCADA interfaces), SIMATIC Process Historian with OPC UA Server, and TeleControl Server Basic used in remote telemetry applications. Any facility relying on these tools for process visibility and control is at risk of service disruption.
How it could be exploited
An attacker with network access to a device running an affected Siemens product can send specially crafted network packets to the OPC Local Discovery Server service, causing the service to crash. The vulnerability is in how the service handles input, making it remotely exploitable without authentication. Once the service crashes, engineering tools or HMI interfaces that depend on it may become unavailable.
Prerequisites
- Network access to the OPC Local Discovery Server service (typically UDP port 3665, unless non-default ports are configured)
- OPC Local Discovery Server service must be enabled on the target device (not enabled by default)
- No authentication required to trigger the crash
Remotely exploitableNo authentication requiredLow complexity attackAffects industrial engineering and HMI infrastructureNo fix available for OpenPCS 7 v9.1 and SIMATIC NET PC Software v15
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (10)
8 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14<V14 SP1 Update 1414 SP1 Update 14
SIMATIC NET PC Software V16<V16 Update 616 Update 6
OpenPCS 7 V9.1All versionsNo fix (EOL)
SIMATIC NET PC Software V15All versionsNo fix (EOL)
SIMATIC NET PC Software V17<V17 SP117 SP1
SIMATIC Process Historian OPC UA Server<V2020 SP12020 SP1
SIMATIC WinCC<V8.08.0
SIMATIC WinCC Runtime Professional<V1818
Remediation & Mitigation
0/11
Do now
0/2WORKAROUNDDisable the OPC Local Discovery Server service if your operational use case does not require it
HARDENINGRestrict network access to OPC Local Discovery Server ports using firewall rules, allowing only trusted engineering workstations and systems that require the service
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software v14 to 14 SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software v16 to 16 Update 6 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC NET PC Software v17 to 17 SP1 or later
SIMATIC Process Historian OPC UA Server
HOTFIXUpdate SIMATIC Process Historian OPC UA Server to 2020 SP1 or later
SIMATIC WinCC
HOTFIXUpdate SIMATIC WinCC Runtime Professional to v18 or later
HOTFIXUpdate SIMATIC WinCC Unified PC Runtime to 18 Update 1 or later
HOTFIXContact Siemens support for SIMATIC WinCC update guidance
TeleControl Server Basic V3
HOTFIXUpdate TeleControl Server Basic v3 to 3.1.1 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: OpenPCS 7 V9.1, SIMATIC NET PC Software V15. Apply the following compensating controls:
HARDENINGUse VPN to protect network communication between cells and restrict lateral access to industrial network segments
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6f0053eb-9569-4103-bf46-24f92e998e1f