Siemens SIMATIC STEP 7 (TIA Portal)

Plan Patch7.8ICS-CERT ICSA-24-193-17Jul 9, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow type confusion and arbitrary code execution within the affected application. The vulnerability exists in SIMATIC STEP 7 (TIA Portal) V16, V17, V18 (before Update 2), and SIMATIC PCS neo V4.0. No exploitation has been publicly reported, and the vulnerability is not remotely exploitable—it requires a user to open a malicious file on their engineering workstation.

What this means

What could happen

An attacker with access to a user's workstation could craft a malicious file that, when opened in affected TIA Portal versions, executes arbitrary code with the privileges of the engineering workstation. This could allow modification of PLC programs, control logic, or process parameters.

Who's at risk

This affects engineering staff and automation professionals at water utilities, electric utilities, and any facility using Siemens TIA Portal for PLC and automation system programming. Organizations running SIMATIC STEP 7 V16, V17, V18 (pre-Update 2), or SIMATIC PCS neo V4.0 are vulnerable if their engineering workstations are exposed to untrusted files.

How it could be exploited

An attacker creates a file with malicious .NET serialized data and delivers it to an engineering workstation operator (via email, USB, or network share). When the operator opens the file in SIMATIC STEP 7 or SIMATIC PCS neo, the unsafe BinaryFormatter deserializes the malicious object, triggering type confusion that results in arbitrary code execution on the workstation with the operator's privileges.

Prerequisites

User interaction required: operator must open the malicious file in the vulnerable application
File delivery to engineering workstation (email, USB, network share, etc.)
Victim workstation must have vulnerable version of SIMATIC STEP 7 or SIMATIC PCS neo installed

Requires user interactionLow attack complexityAffects engineering workstations with program modification capabilityNo fix available for STEP 7 V16, V17, and PCS neoHigh CVSS score (7.8)Type confusion / unsafe deserialization

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

1 with fix3 EOL

ProductAffected VersionsFix Status

SIMATIC STEP 7 V18<V18 Update 218 Update 2

SIMATIC STEP 7 V16All versionsNo fix (EOL)

SIMATIC STEP 7 V17All versionsNo fix (EOL)

SIMATIC PCS neo V4.0All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDo not open untrusted or unexpected files from unknown sources in SIMATIC STEP 7 or SIMATIC PCS neo

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V18

HOTFIXUpdate SIMATIC STEP 7 V18 to Update 2 or later version

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SIMATIC STEP 7 V16, SIMATIC STEP 7 V17, SIMATIC PCS neo V4.0. Apply the following compensating controls:

HARDENINGImplement network access controls and firewall rules to restrict unauthorized file delivery to engineering workstations

HARDENINGIsolate engineering workstations on a separate network segment with restricted internet access and controlled file import

HARDENINGImplement email security controls to filter attachments and block suspicious file types from reaching engineering staff

CVEs (1)

CVE-2022-45147

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c873d30-7807-4ada-87c4-8709d16d8a1e