Use of Obsolete Function Vulnerability in SIMATIC WinCC before V8

Low Risk3.9SSA-508677Jun 13, 2023

Attack VectorAdjacent

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

SIMATIC WinCC versions before V8 enable legacy OPC services (OPC DA, OPC HDA, OPC AE) by default. These services are built on Windows ActiveX and DCOM mechanisms and lack modern security controls including authentication and encryption. An attacker can access these services to read process data or modify configuration without credentials. WinCC V8.0 disabled legacy OPC by default and introduced OPC UA support. Several related products (SIMATIC NET PC Software, PCS 7, SINAUT ST7sc) have no vendor fix available.

What this means

What could happen

An attacker with local or network access to legacy OPC services could intercept unencrypted communications between WinCC and other systems, potentially reading process data or altering setpoints and alarm configurations without authentication.

Who's at risk

Manufacturing facilities using Siemens SIMATIC WinCC, PCS 7, NET PC Software, or SINAUT ST7sc for process monitoring and control. This affects any organization relying on legacy OPC services for SCADA data access, including water treatment plants, chemical processing, power generation, and discrete manufacturing operations.

How it could be exploited

An attacker on the same network segment or with local machine access exploits the fact that legacy OPC (DA, HDA, AE) services enabled by default in WinCC versions before V8 lack modern security controls. They can connect to the OPC service without strong authentication and read or modify process data over unencrypted DCOM channels.

Prerequisites

Local or network access to the SIMATIC WinCC system
OPC legacy services (DA, HDA, or AE) must be enabled (default in versions before V8)
No network segmentation isolating WinCC from untrusted networks

No authentication required for legacy OPC servicesUnencrypted communications (DCOM/ActiveX based)Low complexity exploitationAffects process visibility and control

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

1 with fix6 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC< V8.08.0

SIMATIC NET PC Software V14All versionsNo fix (EOL)

SIMATIC NET PC Software V15All versionsNo fix (EOL)

SIMATIC PCS 7 V8.2All versionsNo fix (EOL)

SIMATIC PCS 7 V9.0All versionsNo fix (EOL)

SIMATIC PCS 7 V9.1All versionsNo fix (EOL)

SINAUT Software ST7scAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable legacy OPC services (OPC DA, HDA, AE) and migrate to OPC UA

HARDENINGRestrict SIMATIC HMI group membership to trusted users only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIMATIC WinCC

HOTFIXUpgrade SIMATIC WinCC to version 8.0 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC NET PC Software V14, SIMATIC NET PC Software V15, SIMATIC PCS 7 V8.2, SIMATIC PCS 7 V9.0, SIMATIC PCS 7 V9.1, SINAUT Software ST7sc. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate WinCC and HMI systems from untrusted networks

CVEs (1)

CVE-2023-28829

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eb43da56-2263-4004-8b28-db60c88cdfc1