Siemens SIMATIC PCS neo

Plan Patch8ICS-CERT ICSA-23-320-06Nov 14, 2023

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SIMATIC PCS neo before V4.1 contains multiple vulnerabilities (CWE-306, CWE-89, CWE-942, CWE-79) affecting authentication, SQL injection, resource management, and cross-site scripting. These vulnerabilities require adjacent network access and user interaction to exploit. Siemens has released version 4.1 with fixes.

What this means

What could happen

An attacker with access to the engineering network could exploit these vulnerabilities to execute code, manipulate process configurations, or extract data from the SIMATIC PCS neo engineering workstations, potentially affecting the design and deployment of control logic to field devices.

Who's at risk

Operators of industrial process automation systems using Siemens SIMATIC PCS neo (a process control engineering platform) running versions prior to 4.1. This affects plants and facilities that use PCS neo for designing, configuring, and monitoring automated processes in manufacturing, utilities, and chemical industries.

How it could be exploited

An attacker must be on the same adjacent network (not internet-reachable) as a SIMATIC PCS neo workstation and trick a user to interact with a malicious input. This could involve sending a specially crafted SQL injection or cross-site scripting payload through the application. Once triggered, the attacker could run commands or modify project data on the engineering workstation.

Prerequisites

Attacker must be on the same network segment as the SIMATIC PCS neo workstation (cannot be exploited from the internet)
User interaction required (user must click or interact with malicious content)
Credentials are not explicitly required, but user must have the application open

Affects engineering/control design systemsRequires user interactionLow EPSS score (0.2%)Not remotely exploitable

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC PCS neo<V4.14.1

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to SIMATIC PCS neo workstations to authorized engineering personnel only using network segmentation or firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC PCS neo to version 4.1 or later

Long-term hardening

0/2

HARDENINGIsolate engineering networks running SIMATIC PCS neo from business networks and the internet

HARDENINGFor remote engineering access, implement Virtual Private Networks (VPNs) with current security patches

CVEs (4)

CVE-2023-46096 CVE-2023-46097 CVE-2023-46098 CVE-2023-46099

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9eccd51d-a10e-4b0a-af7a-ecf916864a9f