Denial-of-Service Vulnerability in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC Software

Plan Patch7.5SSA-270778Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A Denial-of-Service vulnerability exists in SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC software when encrypted communication is enabled. The vulnerability is caused by an error in the shared SIMATIC Communication Services (SCS) component used across multiple products. An attacker with network access can send a specially crafted packet that triggers an unhandled condition, causing the affected application to stop responding or crash. This disrupts process monitoring, alarming, and engineering access. Versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are not affected because encrypted communication was not an option in those releases. Notably, fixing the shared SCS component in any product on a system will also resolve the vulnerability in other products on that same system, even if those products have not been individually updated.

What this means

What could happen

An attacker with network access to a system running affected versions of SIMATIC PCS 7, WinCC, or NET PC software with encrypted communication enabled could crash the application or cause it to stop responding, interrupting process monitoring, alarming, and engineering access to critical control systems.

Who's at risk

This vulnerability affects users of Siemens SIMATIC PCS 7, SIMATIC WinCC (both TIA Portal and legacy versions), SIMATIC NET PC Software, SIMATIC BATCH, SIMATIC Route Control, and OpenPCS 7 systems that rely on encrypted communication for security. It impacts process automation engineers, control room operators, and system administrators at manufacturing plants, water authorities, utilities, and other industrial facilities that use these Siemens platforms for supervisory control and data acquisition (SCADA).

How it could be exploited

An attacker sends a specially crafted network packet to an affected system with encrypted communication enabled. The vulnerability is in the shared SIMATIC Communication Services (SCS) component. When the malformed packet is processed, it triggers an unhandled condition that causes the application to stop responding or crash.

Prerequisites

Network access to the affected system on the port used for encrypted communication
Encrypted communication must be enabled in the application configuration
The system must be running one of the affected product versions listed

remotely exploitableno authentication requiredlow complexity attackaffects critical control system engineering and monitoring interfacesmultiple products share vulnerable componentmultiple versions have no fix available

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (22)

11 with fix3 pending8 EOL

ProductAffected VersionsFix Status

OpenPCS 7 V8.1All versionsNo fix (EOL)

SIMATIC WinCC V7.3All versionsNo fix (EOL)

OpenPCS 7 V9.0All versions < V9.0 Upd3No fix yet

SIMATIC BATCH V8.2< V8.2 Upd128.2 Upd12

SIMATIC BATCH V9.0All versions < V9.0 SP1 Upd5No fix yet

Remediation & Mitigation

0/13

Do now

0/2

OpenPCS 7 V8.1

WORKAROUNDDisable encrypted communication if operationally feasible for products with no available patch (OpenPCS 7 V8.1, V8.2, V9.0; SIMATIC BATCH V8.1, V9.0; SIMATIC NET PC Software V15; SIMATIC Route Control V8.1, V8.2, V9.0; SIMATIC WinCC V7.3)

All products

HARDENINGRestrict network access to encrypted communication ports used by affected SIMATIC software to only trusted engineering workstations and authorized systems

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

CVEs (1)

CVE-2019-19282

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close