OTPulse

Siemens Industrial Products

Plan PatchCVSS 7.3ICS-CERT ICSA-24-256-08Sep 10, 2024
SiemensManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A Socket.IO vulnerability in multiple Siemens industrial products allows a remote attacker to send a specially crafted Socket.IO packet that triggers an uncaught exception on the server, causing the Node.js process to crash. This results in a Denial-of-Service condition affecting the availability of HMI, SCADA interfaces, and Industrial Edge applications. The vulnerability has CVSS 7.3 severity and affects SIMATIC WinCC (versions 7.4, 7.5, 8.0, and Runtime Professional versions 17, 18, 19), SIMATIC PCS neo, TIA Administrator, AI Model Deployer, Data Flow Monitoring IED UI, and LiveTwin Industrial Edge app. Siemens has released fixes for most products but has not planned fixes for WinCC V7.4 and WinCC Runtime Professional V17. For products without fixes, Siemens recommends network segmentation and access control measures.

What this means
What could happen
An attacker can send a crafted network packet to crash the Node.js process running these Siemens industrial products, causing the HMI, SCADA interface, or edge application to become unavailable and potentially disrupting monitoring and control of manufacturing processes.
Who's at risk
Manufacturing facilities using Siemens HMI and SCADA systems, particularly those running WinCC Runtime Professional, WinCC, SIMATIC PCS neo, or TIA Administrator for process monitoring and control. This affects both traditional on-premises SCADA setups and modern Industrial Edge app deployments.
How it could be exploited
An attacker with network access to the Socket.IO server on the affected product sends a specially crafted Socket.IO packet. The packet triggers an uncaught exception in the server code, causing the Node.js process to terminate. The application goes offline, interrupting operator visibility and remote access to the industrial system.
Prerequisites
  • Network access to the Socket.IO port on the affected device (typically port 3000 or 443 depending on deployment)
  • No authentication required to send the malicious packet
  • Device must be running a vulnerable version of the affected product
remotely exploitableno authentication requiredlow complexityaffects process availability and monitoringno patch available for WinCC V7.4 and WinCC Runtime Professional V17
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (12)
10 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC Runtime Professional V17All versionsNo fix (EOL)
AI Model Deployer<V1.11.1
Data Flow Monitoring Industrial Edge Device User Interface (DFM IED UI)<V0.0.60.0.6
LiveTwin Industrial Edge app<V2.42.4
SIMATIC PCS neo V4.1<V4.1 Update 24.1 Update 2
SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1
SIMATIC WinCC Runtime Professional V18<V18 Update 518 Update 5
SIMATIC WinCC Runtime Professional V19<V19 Update 319 Update 3
Remediation & Mitigation
0/10
Do now
0/2
SIMATIC WinCC Runtime Professional V17
WORKAROUNDIsolate SIMATIC WinCC Runtime Professional V17 and V7.4 instances from direct internet access and untrusted networks until Siemens releases patches
All products
WORKAROUNDRestrict network access to the Socket.IO service ports using a firewall; allow only trusted engineering and operator workstations
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to V18 Update 5 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to V19 Update 3 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to V8.0 Update 5 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to V7.5 SP2 Update 18 or later
AI Model Deployer
HOTFIXUpdate AI Model Deployer to V1.1 or later
TIA Administrator
HOTFIXUpdate TIA Administrator to V3.0.3 or later
SIMATIC PCS neo V4.1
HOTFIXUpdate SIMATIC PCS neo V4.1 to V4.1 Update 2 or later
SIMATIC PCS neo V5.0
HOTFIXUpdate SIMATIC PCS neo V5.0 to V5.0 Update 1 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/dceaa250-74f9-480e-8c1a-e9615009ec71

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.