OTPulse

Siemens Desigo CC product family

Plan PatchCVSS 9.1ICS-CERT ICSA-23-320-03Sep 12, 2023
SiemensMitsubishi ElectricEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens Desigo CC product family (V5.0, V5.1, V6, and V7) and SENTRON powermanager (>=V4.0) contain multiple remote code execution and denial of service vulnerabilities in the third-party WIBU Systems CodeMeter Runtime component. Successful exploitation could allow attackers to execute arbitrary code on the Desigo CC server or cause service disruption. All Desigo CC versions V5.0 through V6 are affected by all vulnerabilities; V7 is affected only by CVE-2023-3935. Siemens has released a patch to update the CodeMeter Runtime component.

What this means
What could happen
An attacker could remotely execute arbitrary commands on your Desigo CC building automation server, potentially altering HVAC setpoints, lighting schedules, or access controls, or they could crash the server causing loss of facility management visibility and control. These systems often control critical building infrastructure including emergency systems.
Who's at risk
Energy sector operators, municipal utilities, and facility managers running Siemens Desigo CC (building automation, energy management) or SENTRON powermanager (power distribution monitoring). This affects sites that depend on centralized facility control for HVAC, lighting, power distribution, or emergency systems.
How it could be exploited
An attacker on the network can send a specially crafted request to the Desigo CC server that exploits a flaw in the CodeMeter Runtime licensing component. This does not require authentication or user interaction. The vulnerability is in a third-party library that runs with server privileges, allowing remote code execution or process termination.
Prerequisites
  • Network access to the Desigo CC server on its listening port(s)
  • No authentication required
  • Desigo CC V5.0, V5.1, V6, or V7 running in scope
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects building automation and energy management systems
Exploitability
Some exploitation risk — EPSS score 8.2%
Affected products (19)
9 with fix1 pending9 EOL
ProductAffected VersionsFix Status
PSS(R)CAPE V15<V15.0.2215.0.22
PSS(R)E V34<V34.9.634.9.6
PSS(R)E V35<V35.6.135.6.1
PSS(R)ODMS V13.1<V13.1.12.113.1.12.1
SIMATIC WinCC OA V3.17All versions < V3.17 P0303.17 P030
Remediation & Mitigation
0/4
Do now
0/2
SENTRON powermanager
HOTFIXApply Siemens patch to update the CodeMeter Runtime component on all affected Desigo CC and SENTRON powermanager systems
All products
WORKAROUNDRestrict network access to Desigo CC servers using firewall rules, network segmentation, or access control lists; allow only authorized management workstations and necessary building automation devices
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Desigo CC server logs for suspicious network activity or unexpected process behavior; establish alerting for CodeMeter Runtime anomalies
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: PSS(R)CAPE V14, PSS(R)ODMS V13.0, SIMATIC PCS neo V3, SINEMA Remote Connect, SIMATIC PCS neo V4.0, Desigo CC family V5.0, Desigo CC family V5.1, Desigo CC family V6, SENTRON powermanager. Apply the following compensating controls:
HARDENINGReview and implement Siemens operational security guidelines for industrial environments; ensure Desigo CC systems are deployed in protected IT network segments per product manuals
View full CISA ICS-CERT advisory
API: /api/v1/advisories/90b937c4-3c4c-409c-a909-69b27aef273e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens Desigo CC product family | CVSS 9.1 - OTPulse