OTPulse
FeedAboutContact

Siemens SIPORT

Plan Patch7.8ICS-CERT ICSA-24-319-02Nov 12, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

SIPORT before version 3.4.0 contains a privilege escalation vulnerability in how it manages file and folder permissions in its installation directory. A local attacker with an unprivileged user account can modify the SIPORT service executable and gain elevated (administrative) privileges, potentially allowing unauthorized changes to system configuration or operational parameters. The vulnerability stems from excessive write permissions granted to non-administrative users on critical installation files. Siemens has released version 3.4.0 as a fix and recommends updating immediately. As an interim workaround, administrators can manually restrict write permissions on the installation directory to administrative users only.

What this means
What could happen
An attacker with a local unprivileged account on the SIPORT system could escalate privileges and gain full control of the device, allowing them to modify process control logic or stop operations.
Who's at risk
Operators of SIPORT systems at water utilities, power plants, and other critical infrastructure that use Siemens SIPORT for automation, monitoring, or control functions. Anyone with local server access (maintenance staff, domain administrators, or compromised accounts) could exploit this if running versions prior to 3.4.0.
How it could be exploited
An attacker with local access to the server running SIPORT uses their unprivileged user account to modify the service executable file in the installation directory (which has excessive write permissions), then restarts the service to execute malicious code with elevated privileges.
Prerequisites
  • Local user account on the SIPORT server (unprivileged access sufficient)
  • Write permissions enabled on SIPORT installation directory files and folders for non-administrative users
  • Ability to restart or trigger service execution
Local privilege escalationLow complexity exploitationLow CVSS base score (7.8)File permissions misconfigurationAffects control system platform
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
SIPORT<V3.4.03.4.0
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRemove write permissions for non-administrative users on all files and folders in the SIPORT installation directory
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPORT to version 3.4.0 or later
Long-term hardening
0/2
HARDENINGRestrict physical and logical access to SIPORT servers; isolate them from business networks and the internet using firewalls
HARDENINGUse VPN or jump hosts for any remote administrative access to SIPORT systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e3659fae-c133-430e-acbb-3996b7160f77
Siemens SIPORT | CVSS 7.8 - OTPulse