Siemens Engineering Platforms
Plan PatchCVSS 7.3ICS-CERT ICSA-24-319-07Nov 12, 2024
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Siemens engineering and automation software products fail to properly sanitize user-controllable input when parsing files, allowing a type confusion condition that could lead to arbitrary code execution within the affected application. Affected products include SIMATIC STEP 7, SIMATIC WinCC, TIA Portal, SINAMICS Startdrive, SIMOTION SCOUT TIA, SIMOCODE ES, SIRIUS Safety ES, and SIRIUS Soft Starter ES.
What this means
What could happen
An attacker who can trick a user into opening a malicious file could execute arbitrary code on the engineering workstation, potentially allowing them to modify PLC/automation logic, alter safety configurations, or compromise the integrity of your control system design and deployment process.
Who's at risk
This affects manufacturers and utilities that use Siemens TIA Portal, STEP 7, WinCC, SINAMICS Startdrive, and related engineering tools to design and configure industrial automation and control systems. All engineering workstations running affected versions of these applications are at risk when users are exposed to files from untrusted sources.
How it could be exploited
An attacker sends a specially crafted file (likely a Siemens project file or configuration file) to an engineer. When the engineer opens this file in any of the affected Siemens engineering applications on their workstation, the application fails to properly validate the file contents, triggering a type confusion condition that allows the attacker's code to execute with the privileges of the engineering application and the logged-in user.
Prerequisites
- File must be opened by a user on a system with one of the affected Siemens engineering applications installed
- User must have local access or the ability to deliver the malicious file (e.g., email attachment, USB drive, network share)
Local code execution on engineering workstationLow complexity exploitation (malicious file)User interaction required (file must be opened)Affects safety system engineering toolsNo patch available for V16 products (end-of-life)Partial fixes available (many products unfixed in newer versions)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (30)
11 with fix19 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V16All versionsNo fix yet
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 Safety V16All versionsNo fix yet
SIMATIC STEP 7 Safety V17<V17 Update 817 Update 8
SIMATIC STEP 7 Safety V18<V18 Update 518 Update 5
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict engineers from opening files from untrusted or unknown sources in Siemens engineering applications, and implement user awareness training on email attachment and file transfer risks
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to V17 Update 8 or later
SIMATIC STEP 7 V18
HOTFIXUpdate SIMATIC STEP 7 V18 to V18 Update 5 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to V17 Update 8 or later
SIMATIC WinCC V18
HOTFIXUpdate SIMATIC WinCC V18 to V18 SP5 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Cloud V17 to V4.6.0.1 or later and then update TIA Portal to V17 Update 8 or later
HOTFIXUpdate TIA Portal Cloud V18 to V4.6.1.0 or later and then update TIA Portal to V18 Update 5 or later
Long-term hardening
0/1HARDENINGImplement network access controls and configure IT security measures around systems running Siemens engineering applications according to Siemens operational security guidelines
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/31a854f7-feea-4430-840b-130428a6a422Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.