Denial-of-Service and DLL Hijacking Vulnerabilities in Multiple SIMATIC Software Products
Plan Patch7.8SSA-689942Jun 9, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple SIMATIC software products contain DLL hijacking (CWE-427) and improper resource validation (CWE-122) vulnerabilities. An attacker can manipulate project files to achieve remote code execution or denial-of-service conditions. Affected products include SIMATIC PCS 7 V8.2 and earlier (unfixed), SIMATIC PCS 7 V9.0, SIMATIC PDM, SIMATIC STEP 7 V5.X, and SINAMICS STARTER. The vulnerabilities could be exploited via compromised project files or local access to engineering workstations.
What this means
What could happen
An attacker could run arbitrary code on engineering workstations or cause the SIMATIC software to crash, potentially disrupting the design, modification, or operation of industrial automation projects. If an attacker gains code execution on an engineering workstation, they could modify control logic, setpoints, or safety parameters before uploading changes to PLCs.
Who's at risk
This affects utilities and manufacturers who use Siemens SIMATIC engineering and control software. Primarily impacts automation engineers and operators at organizations running SIMATIC PCS 7 (process control), SIMATIC STEP 7 (PLC programming), SIMATIC PDM (device management), or SINAMICS STARTER (drive commissioning) on their engineering workstations. The risk is highest for those still running older versions like PCS 7 V8.2, which will not receive patches.
How it could be exploited
An attacker creates a malicious SIMATIC project file that exploits DLL hijacking or improper resource validation when opened by an engineer on a workstation running vulnerable SIMATIC software. Upon opening the file, the software loads a crafted DLL from the project directory or a network path under attacker control, allowing code execution with the privileges of the engineering user. Alternatively, a crafted project file could trigger a denial-of-service crash in the software.
Prerequisites
- Local access to engineering workstation or ability to deliver a malicious project file (email, USB, shared network folder)
- User must open the malicious project file in vulnerable SIMATIC software
- Vulnerable SIMATIC software version installed on the workstation
DLL hijacking can lead to code execution with user privilegesRequires only local access or ability to deliver a file to an engineerLow complexity exploitationSIMATIC PCS 7 V8.2 has no patch available (end-of-life product)STEP 7 V5.X versions may still be in use at legacy sitesCould allow modification of control logic before deployment to PLCs
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0< V9.0 SP39.0 SP3
SIMATIC PDM< V9.29.2
SIMATIC STEP 7 V5.X< V5.6 SP2 HF35.6 SP2 HF3
SINAMICS STARTER (containing STEP 7 OEM version)< V5.4 HF25.4 HF2
SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1HARDENINGImplement email security controls and user training to prevent users from opening untrusted SIMATIC project files
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to V9.2 or later
SIMATIC STEP 7 V5.X
HOTFIXUpdate SIMATIC STEP 7 V5.X to V5.6 SP2 HF3 or later
All products
HOTFIXUpdate SIMATIC PCS 7 to V9.0 SP3 or later
HOTFIXUpdate SINAMICS STARTER to V5.4 HF2 or later
Mitigations - no patch available
0/2SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict SIMATIC software access to trusted engineers only and enforce principle of least privilege on engineering workstations
HARDENINGSegment engineering workstations from production networks to limit lateral movement if a workstation is compromised
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/85931a13-04a5-4a49-8b04-5f4391b5a695