OTPulse
FeedAboutContact

Siemens TIA Portal and SIMATIC STEP 7

Monitor6.3ICS-CERT ICSA-24-193-12Jul 9, 2024
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary

The affected Siemens TIA Portal and SIMATIC STEP 7 Safety applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. A type confusion vulnerability allows an attacker to execute arbitrary code within the application when processing crafted PLC software files. This affects SIMATIC STEP 7 Safety V18 prior to Update 2.

What this means
What could happen
An attacker with local access to an engineering workstation running TIA Portal or STEP 7 Safety could execute arbitrary code by uploading specially crafted PLC software, potentially allowing them to modify control logic or plant behavior without detection.
Who's at risk
This affects automation engineers and IT personnel at utilities and water authorities who use Siemens TIA Portal or STEP 7 Safety for PLC programming and configuration. Risk is highest when engineering workstations accept files from external sources (contractors, maintenance vendors, other facilities).
How it could be exploited
An attacker would need to deliver malicious PLC software (via untrusted MMC card, USB drive, or network upload) to an engineering workstation. When the software is deserialized by the vulnerable .NET BinaryFormatter, type confusion occurs, allowing arbitrary code execution in the context of the TIA Portal or STEP 7 application running on that workstation.
Prerequisites
  • Local or physical access to the engineering workstation
  • Ability to upload or inject PLC software file to the workstation
  • TIA Portal or SIMATIC STEP 7 Safety running the vulnerable version
  • User interaction required (opening/loading the malicious software)
local access requireduser interaction requiredhigh privilege required (engineering credentials)affects safety systemsno authentication on file upload
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
SIMATIC STEP 7 Safety V18<V18 Update 218 Update 2
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDo not upload PLC software from untrusted devices, MMC cards, or unknown sources
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC STEP 7 Safety V18 to V18 Update 2 or later version
HOTFIXUpdate TIA Portal to V18 Update 2 or later version
Long-term hardening
0/1
HARDENINGSegment engineering workstations from the business network and restrict file uploads to known, verified sources only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fadc00fc-e6af-4868-805c-06abf63342c6