Siemens Engineering Platforms
Plan Patch7.3ICS-CERT ICSA-24-319-07Nov 12, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
A type confusion vulnerability exists in Siemens engineering platforms when parsing user-supplied files. The affected applications do not properly sanitize input, allowing arbitrary code execution within the application if a user opens a malicious file. The vulnerability affects a wide range of engineering software used to configure and program industrial automation systems, including S7-PLCSIM, STEP 7, WinCC, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS ES products, and TIA Portal Cloud.
What this means
What could happen
An attacker could cause code execution within an engineering workstation by tricking a user into opening a malicious file, potentially allowing unauthorized modifications to PLC programs, control system configurations, or safety parameters that could affect plant operations.
Who's at risk
This affects manufacturers and integrators who use Siemens engineering software to design and program PLCs, safety controllers, variable frequency drives, and HMI systems. Any organization using SIMATIC STEP 7, WinCC, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS controllers, or TIA Portal Cloud V16, V17, or V18 should assess their exposure. The risk is primarily to engineering workstations and laptops used by control system engineers and integrators who download or receive project files.
How it could be exploited
An attacker would create a specially crafted file (such as a project file or configuration file) designed to trigger the type confusion when parsed by one of the affected applications. The attacker delivers this file to an engineering user via email, file sharing, or social engineering. When the user opens the file in the affected application, the vulnerability is triggered, executing arbitrary code with the privileges of that user.
Prerequisites
- User must open a malicious file from an untrusted source in one of the affected applications
- Engineering workstation must have one of the vulnerable versions installed
- User interaction required (opening the file)
Low complexity attack requiring user interactionAffects safety-critical engineering toolsNo patch available for V16 versions and several V17/V18 productsEngineering files are often shared across organizations and with integrators
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (30)
11 with fix19 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V16All versionsNo fix yet
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 Safety V16All versionsNo fix yet
SIMATIC STEP 7 Safety V17<V17 Update 817 Update 8
SIMATIC STEP 7 Safety V18<V18 Update 518 Update 5
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict file sources and train users to avoid opening files from untrusted or unknown sources in affected applications
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17, STEP 7 Safety V17, WinCC V17, WinCC Unified V17, SIMOCODE ES V17, SIRIUS Safety ES V17, SIRIUS Soft Starter ES V17 to Update 8 or later
HOTFIXFor SIMOTION SCOUT TIA V5.4 SP3 and SINAMICS Startdrive V17, update SIMATIC STEP 7 V17 to Update 8 or later as a dependency
SIMATIC STEP 7 V18
HOTFIXUpdate SIMATIC STEP 7 V18, STEP 7 Safety V18, WinCC V18, WinCC Unified V18 to Update 5 or later
HOTFIXFor SIMOCODE ES V18, SIMOTION SCOUT TIA V5.5 SP1, SINAMICS Startdrive V18, SIRIUS Safety ES V18, SIRIUS Soft Starter ES V18, update SIMATIC STEP 7 V18 to Update 5 or later as a dependency
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Cloud V17 to version 4.6.0.1 or later and update TIA Portal to V17 Update 8 or later
HOTFIXUpdate TIA Portal Cloud V18 to version 4.6.1.0 or later and update TIA Portal to V18 Update 5 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate engineering workstations from general network traffic and limit exposure to social engineering delivery mechanisms
HARDENINGDeploy email and web filtering to reduce the likelihood of users receiving malicious files
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/31a854f7-feea-4430-840b-130428a6a422