Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server
Monitor6.7SSA-640968Feb 14, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
TIA Project-Server (formerly TIA Multiuser Server) contains an untrusted search path vulnerability that allows privilege escalation when an attacker tricks a legitimate user to start the service from an attacker-controlled directory. An attacker can place malicious code in that directory, which will be loaded and executed when the service launches.
What this means
What could happen
An attacker could trick an engineering workstation user into launching the server from a directory the attacker controls, allowing the attacker to execute arbitrary code with the privileges of the logged-in engineer and potentially modify automation projects or control parameters.
Who's at risk
Engineering teams and automation engineers who use Siemens TIA Portal project management and collaboration tools (TIA Multiuser Server and TIA Project-Server) are affected. This impacts organizations managing and deploying PLC and automation system configurations, particularly those using TIA Portal V14, V15, V16, or V17 for multi-user engineering environments.
How it could be exploited
An attacker places a malicious library in a directory, then tricks a user into running TIA Project-Server or TIA Multiuser Server from that location (e.g., via a crafted shortcut or by placing the application in a shared folder). When the service starts, it loads the attacker's library due to the untrusted search path, executing arbitrary code during startup.
Prerequisites
- Local access to the engineering workstation or shared network folder where TIA is run from
- Social engineering to trick a legitimate user to execute the service from an attacker-controlled directory
- User must have local privileges to run the service
Local access required but easily triggered via social engineeringAffects engineering workstations where automation code is developedNo authentication required beyond valid user sessionLow complexity exploit if user can be tricked into running from wrong pathPrivilege escalation to engineering user level
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
TIA Project-Server V16All versions1.1
TIA Multiuser Server V15All versions < V15.1 Update 815.1 Update 8
TIA Project-Server<V1.11.1
TIA Project-Server V17All versions < V17 Update 617 Update 6
TIA Multiuser Server V14All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1HARDENINGEducate users to only launch TIA services from trusted, manufacturer-provided installation directories
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
TIA Multiuser Server V15
HOTFIXUpdate TIA Multiuser Server V15 to version 15.1 Update 8 or later
TIA Project-Server
HOTFIXUpdate TIA Project-Server V17 to version 17 Update 6 or later
HOTFIXUpdate TIA Project-Server to version 1.1 or later
Mitigations - no patch available
0/1TIA Multiuser Server V14 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor TIA Multiuser Server V14 and TIA Project-Server V16 (no fix available), restrict file system write permissions on directories where users might launch the service from; implement read-only deployments where possible
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3427bfe9-081a-42c3-873e-6196be3eefa6