Path Traversal Vulnerability in TIA Portal
Plan Patch7.3SSA-116924Apr 11, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
TIA Portal contains a path traversal vulnerability that allows arbitrary file creation or overwriting on the engineering workstation. An attacker can exploit this by tricking a user into opening a malicious PC system configuration file, potentially leading to arbitrary code execution on the engineering system. The vulnerability is triggered when a configuration file is opened in TIA Portal and could allow an attacker to write files to any location accessible by the user running TIA Portal.
What this means
What could happen
An attacker could trick an engineer into opening a malicious configuration file, allowing arbitrary file creation or overwriting on the engineering workstation, potentially leading to malicious code execution on the system where the engineer is designing or modifying your plant controls.
Who's at risk
Plant engineers and control system designers using TIA Portal for PLC and HMI programming on Windows engineering workstations. This affects any organization using Siemens automation systems (S7-1200, S7-1500, HMI devices) that rely on TIA Portal for system configuration and deployment.
How it could be exploited
An attacker crafts a malicious TIA Portal PC system configuration file and sends it to an engineer. When the engineer opens the file in TIA Portal, the path traversal flaw allows the attacker to write files to arbitrary locations on the engineering workstation. If those files include executable code or scripts, the attacker gains code execution on the system with the same privileges as the engineer.
Prerequisites
- Engineer must open a malicious configuration file in TIA Portal
- User interaction required (opening the file)
- Attacker must be able to deliver the malicious file to the engineer (email, shared file storage, USB, etc.)
Requires user interaction (engineer must open malicious file)Affects engineering workstations, not production systems directlyNo patch available for V15Low EPSS score (0.1%) indicates low exploit probabilityCould lead to compromise of engineering system and control logic
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
Totally Integrated Automation Portal (TIA Portal) V15All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V16All versions < V16 Update 716 Update 7
Totally Integrated Automation Portal (TIA Portal) V17All versions < V17 Update 617 Update 6
Totally Integrated Automation Portal (TIA Portal) V18All versions < V18 Update 118 Update 1
Remediation & Mitigation
0/5
Do now
0/2Totally Integrated Automation Portal (TIA Portal) V15
WORKAROUNDFor TIA Portal V15 (no patch available): Restrict opening of PC system configuration files to trusted sources only; educate engineers not to open configuration files from untrusted senders
All products
HARDENINGRequire engineers to verify the source and integrity of configuration files before opening them
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Totally Integrated Automation Portal (TIA Portal) V15
HOTFIXUpdate TIA Portal V16 to Update 7 or later
HOTFIXUpdate TIA Portal V17 to Update 6 or later
HOTFIXUpdate TIA Portal V18 to Update 1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2660bea0-e91a-433c-bf8b-df36fad888ff