Siemens User Management Component (UMC)
Plan Patch7.5ICS-CERT ICSA-23-348-03Dec 12, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens User Management Component (UMC) before V2.11.2 contains multiple vulnerabilities including improper input validation, cross-site scripting, and buffer overflow issues (CWE-942, CWE-79, CWE-120, CWE-20). The most severe vulnerability could lead to a restart of the UMC server, causing denial of service. The component is used in several Siemens automation and IT products including Opcenter, SIMATIC PCS neo, SINEC NMS, and TIA Portal.
What this means
What could happen
An attacker could restart the UMC server remotely, disrupting engineering workstations and automation platform availability. This could prevent operators from making process changes or monitoring control systems during an outage.
Who's at risk
This vulnerability affects Siemens automation and IT operations software used by engineering teams at manufacturing, power, water, and other process industries. Specifically impacted are: Opcenter Execution Foundation (manufacturing execution systems), Opcenter Quality (quality management), SIMATIC PCS neo (process control systems), SINEC NMS (network management), and TIA Portal (engineering workstations used to configure PLCs, SCADA, and industrial controllers). Engineering workstations and automation platform servers are at risk.
How it could be exploited
An attacker with network access to the UMC server (port 4002/tcp) can send a malicious request to trigger a denial of service condition. No authentication is required. Alternatively, an attacker could send a malicious link via email or other means to a user to trigger a client-side vulnerability (cross-site scripting).
Prerequisites
- Network access to UMC server port 4002/tcp or 4004/tcp
- No authentication required for some exploits
- For client-side exploits, user must click or access malicious link
remotely exploitableno authentication requiredlow complexitydenial of service impactaffects engineering workstationsTIA Portal versions 14, 15.1, and 16 have no patch available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (9)
6 with fix3 EOL
ProductAffected VersionsFix Status
Opcenter Execution Foundation< V24072407
Opcenter Quality< V23122312
SIMATIC PCS neo< V4.14.1
SINEC NMS<V2.0 SP12.0 SP1
Totally Integrated Automation Portal (TIA Portal) V17<V17 Update 817 Update 8
Totally Integrated Automation Portal (TIA Portal) V18<V18 Update 318 Update 3
Totally Integrated Automation Portal (TIA Portal) V14All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V15.1All versionsNo fix (EOL)
Remediation & Mitigation
0/11
Do now
0/3WORKAROUNDBlock access to UMC server port 4002/tcp using external or local firewall rules
WORKAROUNDBlock access to RT server port 4004/tcp using local firewall if no RT-Servers are deployed, or external firewall if only one RT server is used
HARDENINGEducate users not to click links from untrusted sources or open attachments in unsolicited emails
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Opcenter Execution Foundation
HOTFIXUpdate Opcenter Execution Foundation to version 2407 or later
Opcenter Quality
HOTFIXUpdate Opcenter Quality to version 2312 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to version 4.1 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to version 2.0 SP1 or later
Totally Integrated Automation Portal (TIA Portal) V17
HOTFIXUpdate TIA Portal V17 to Update 8 or later
HOTFIXUpdate TIA Portal V18 to Update 3 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Totally Integrated Automation Portal (TIA Portal) V14, Totally Integrated Automation Portal (TIA Portal) V15.1, Totally Integrated Automation Portal (TIA Portal) V16. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate control system networks from business networks
HARDENINGRestrict internet-facing access to UMC and related automation platform components
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/675af7b5-d860-4f65-9f99-c09ae6b32d75