Siemens SIMATIC STEP 7 and Derived Products

Plan PatchCVSS 10ICS-CERT ICSA-23-166-08Jun 13, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC STEP 7 and PCS 7 contain a database management system vulnerability that allows remote users to invoke embedded database functions and execute code on the server where the engineering platform is running. An attacker with network access to the server network could leverage these database functions to run arbitrary code in the database management system's context. This affects SIMATIC PCS 7, SIMATIC S7-PM, and SIMATIC STEP 7 V5. Siemens has released patches for some products and recommends specific workarounds for others.

What this means

What could happen

An attacker with network access to an engineering workstation running SIMATIC STEP 7 or PCS 7 can execute arbitrary code in the database management system, potentially allowing them to modify control system logic, alter process parameters, or disrupt operations.

Who's at risk

Engineering staff and IT teams managing water treatment, electrical generation, or other industrial processes that use Siemens SIMATIC STEP 7, PCS 7, or S7-PM for control system programming and supervision. Any site using these engineering platforms for HMI/SCADA or PLC programming is at risk.

How it could be exploited

An attacker on the same network as an engineering workstation running SIMATIC STEP 7 or PCS 7 can send commands to the embedded database management system functions. These embedded functions can be invoked locally or from a network share to execute code on the server where STEP 7 or PCS 7 is installed.

Prerequisites

Network access to the engineering workstation or network share hosting the database management system
No authentication credentials required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)High impact to control system operationsMultiple affected productsOne product (S7-PM) has no fix planned

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC PCS 7<V9.1 SP2 UC049.1 SP2 UC04

SIMATIC S7-PM<V5.7 SP1 HF15.7 SP1 HF1

SIMATIC S7-PM<V5.7 SP2 HF15.7 SP2 HF1

SIMATIC STEP 7 V5<V5.75.7

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDConfigure engineering workstations to use Single terminal system mode in SIMATIC Workspace/Workstation Configuration (Workstation Configuration tab) and restart the computer

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V5

HOTFIXUpdate SIMATIC STEP 7 V5 to version 5.7 or later

SIMATIC PCS 7

HOTFIXUpdate SIMATIC PCS 7 to version 9.1 SP2 UC04 or later

SIMATIC S7-PM

HOTFIXUpdate SIMATIC S7-PM to version 5.7 SP1 HF1 or 5.7 SP2 HF1 or later

Long-term hardening

0/3

SIMATIC S7-PM

HARDENINGFor SIMATIC S7-PM where no fix is planned, migrate STEP 7 projects to the latest version of TIA Portal and uninstall S7-PM

All products

HARDENINGRestrict network access to engineering workstations with firewalls and network segmentation; do not expose to the Internet

HARDENINGUse VPN or other secure methods for any required remote access to engineering systems

CVEs (1)

CVE-2023-25910

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2b02139d-21b0-458d-bf59-dfaf381ef146

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.