Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products
Monitor6.5SSA-753746Feb 13, 2024
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Two null pointer dereference vulnerabilities in the RPC Server of SIMATIC WinCC and related SIMATIC products allow an attacker to cause a persistent denial of service condition. The vulnerabilities affect the RPC request handler, which does not properly validate input before dereferencing pointers, leading to application crashes. OpenPCS 7 V9.1, SIMATIC BATCH V9.1, SIMATIC Route Control V9.1, and SIMATIC WinCC V7.4 have no fixes planned. Other versions have been patched: SIMATIC PCS 7 V9.1 in SP2 UC05, WinCC Runtime Professional V18 in Update 4, V19 in Update 2, WinCC V7.5 in SP2 Update 15, and WinCC V8.0 in Update 4.
What this means
What could happen
An attacker can crash the RPC server in WinCC and other SIMATIC products by sending a specially crafted message, causing the application to stop responding and requiring manual restart. This disrupts operator visibility and control until the service is restored.
Who's at risk
Water utilities and municipal electric systems relying on SIMATIC WinCC for SCADA visualization and control, SIMATIC PCS 7 for process automation, SIMATIC BATCH for batch process control, and SIMATIC Route Control for network optimization. Affects both runtime servers and engineering workstations where these products are installed.
How it could be exploited
An attacker with access to the local network sends a malformed RPC request to the WinCC RPC Server port. The null pointer dereference in the request handler causes the process to crash, denying service to legitimate operators and engineers who rely on the software for monitoring and control.
Prerequisites
- Network access to the RPC Server port (typically local network, port varies by product)
- No authentication required
- Target system running one of the affected versions
Remotely exploitable over local networkNo authentication requiredLow complexity attackPersistent denial of service impactNo patch available for OpenPCS 7, SIMATIC BATCH, SIMATIC Route Control, and WinCC V7.4
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (9)
5 with fix4 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.1All versions < V9.1 SP2 UC059.1 SP2 UC05
SIMATIC WinCC Runtime Professional V18All versions < V18 Update 418 Update 4
SIMATIC WinCC Runtime Professional V19All versions < V19 Update 219 Update 2
SIMATIC WinCC V7.5All versions < V7.5 SP2 Update 157.5 SP2 Update 15
SIMATIC WinCC V8.0All versions < V8.0 Update 48.0 Update 4
OpenPCS 7 V9.1All versions < V9.1 SP2 UC05No fix (EOL)
SIMATIC BATCH V9.1All versions < V9.1 SP2 UC05No fix (EOL)
SIMATIC Route Control V9.1All versions < V9.1 SP2 UC05No fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1HARDENINGRestrict network access to RPC Server ports using firewall rules to limit exposure to trusted engineering workstations and control network segments only
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to Update 4 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to Update 2 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 15 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Update 4 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP2 UC05 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: OpenPCS 7 V9.1, SIMATIC BATCH V9.1, SIMATIC Route Control V9.1, SIMATIC WinCC V7.4. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate WinCC systems from untrusted network segments
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/354e6a88-c285-4efd-8664-43084e41487b