OTPulse

Siemens SIMATIC WinCC, OpenPCS

MonitorCVSS 6.5ICS-CERT ICSA-24-046-12Feb 13, 2024
Siemens
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Two null pointer dereference vulnerabilities in SIMATIC software products (CWE-476) can allow an attacker to cause a persistent denial of service condition in the RPC Server. Affected products include OpenPCS 7, SIMATIC BATCH V9.1, SIMATIC PCS 7 V9.1, SIMATIC Route Control V9.1, SIMATIC WinCC Runtime Professional V18/V19, SIMATIC WinCC V7.4/V7.5/V8.0. The vulnerabilities are not remotely exploitable; an attacker must be on the same network segment as the RPC Server. No known public exploitation has been reported. Siemens has released updated versions for some affected products and recommends updating to the latest versions.

What this means
What could happen
An attacker with network access to the RPC Server could crash SIMATIC software applications, causing a denial of service. The HMI or process control system would stop responding until the service is manually restarted.
Who's at risk
Water authorities and municipal utilities running SIMATIC WinCC HMI software, SIMATIC PCS 7 process control systems, SIMATIC BATCH, SIMATIC Route Control, or OpenPCS systems for SCADA/process control. Organizations using these Siemens products for real-time control of pumps, treatment processes, electrical distribution, or other critical operations.
How it could be exploited
An attacker on the same network segment sends a malformed RPC request to the RPC Server. The null pointer dereference causes the application to crash. By repeating this attack, the attacker can maintain persistent denial of service of the WinCC HMI or process control functions.
Prerequisites
  • Network access to the RPC Server port on the affected device
  • Device and RPC Server must be running and accessible from the attacker's network segment
  • No authentication required
Low complexity attackNo authentication requiredAffects availability of process control and HMI systemsMultiple affected products with varying patch availability
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (9)
5 with fix4 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.1<V9.1 SP2 UC059.1 SP2 UC05
SIMATIC WinCC Runtime Professional V18<V18 Update 418 Update 4
SIMATIC WinCC Runtime Professional V19<V19 Update 219 Update 2
SIMATIC WinCC V7.5<V7.5 SP2 Update 157.5 SP2 Update 15
SIMATIC WinCC V8.0<V8.0 Update 48.0 Update 4
OpenPCS 7 V9.1<V9.1 SP2 UC05No fix (EOL)
SIMATIC BATCH V9.1<V9.1 SP2 UC05No fix (EOL)
SIMATIC WinCC V7.4All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/1
WORKAROUNDImplement network access controls to restrict traffic to RPC Server ports; use firewall rules to limit which devices can reach the affected systems
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to V7.5 SP2 Update 15 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to V8.0 Update 4 or later
SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to V18 Update 4 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to V19 Update 2 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to V9.1 SP2 UC05 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: OpenPCS 7 V9.1, SIMATIC BATCH V9.1, SIMATIC WinCC V7.4, SIMATIC Route Control V9.1. Apply the following compensating controls:
HARDENINGIsolate SIMATIC WinCC and process control networks behind firewalls; do not expose to the internet or business network
HARDENINGUse VPN for any required remote access to these systems, with VPN kept current and security posture regularly assessed
View full CISA ICS-CERT advisory
API: /api/v1/advisories/850cbd32-7c33-4995-ac51-98434e307f7f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.