Catalog-Profile Deserialization Vulnerability in Siemens Engineering Platforms before V19
Monitor6.5SSA-779936Jul 9, 2024
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.
What this means
What could happen
An attacker with access to an engineering workstation running affected software could execute arbitrary code in the context of that application, potentially allowing modification of control logic, process parameters, or safety interlocks before they are deployed to PLCs or HMIs.
Who's at risk
Engineering and automation teams using Siemens TIA Portal (STEP 7, WinCC), SIMOTION, SINAMICS, and SIRIUS products for PLC programming, HMI development, and safety system configuration. This impacts anyone authoring or modifying control logic and process configurations before deployment to field devices.
How it could be exploited
An attacker must craft a malicious serialized .NET object and get the engineering application to deserialize it—typically by opening a malicious project file or catalog profile. The deserialization bypasses type restrictions and executes arbitrary code on the engineering workstation, where control logic and device configurations are authored and stored.
Prerequisites
- Local or network access to an engineering workstation running affected software
- User action to open or import a malicious project file or catalog profile
- No credentials required beyond normal engineering workstation access
Type confusion in deserializationArbitrary code execution on engineering workstationUser interaction required (file opening)No authentication bypass neededNo patch available for SIMOTION SCOUT TIA and SINAMICS Startdrive
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (27)
21 with fix6 pending
ProductAffected VersionsFix Status
SIMATIC STEP 7 Safety V16All versions < V16 Update 716 Update 7
SIMATIC STEP 7 Safety V17All versions < V17 Update 717 Update 7
SIMATIC STEP 7 Safety V18All versions < V18 Update 218 Update 2
SIMATIC STEP 7 V16All versions < V16 Update 716 Update 7
SIMATIC STEP 7 V17All versions < V17 Update 717 Update 7
Remediation & Mitigation
0/23
Do now
0/1WORKAROUNDRestrict file imports and project loading to trusted sources only for unpatched products
Schedule — requires maintenance window
0/21Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC STEP 7 Safety to V16 Update 7 or later
HOTFIXUpdate SIMATIC STEP 7 to V16 Update 7 or later
HOTFIXUpdate SIMATIC STEP 7 Safety to V17 Update 7 or later
HOTFIXUpdate SIMATIC STEP 7 to V17 Update 7 or later
HOTFIXUpdate SIMATIC STEP 7 Safety to V18 Update 2 or later
HOTFIXUpdate SIMATIC STEP 7 to V18 Update 2 or later
HOTFIXUpdate SIMATIC WinCC Unified to V16 Update 7 or later
HOTFIXUpdate SIMATIC WinCC Unified to V17 Update 7 or later
HOTFIXUpdate SIMATIC WinCC Unified to V18 Update 2 or later
HOTFIXUpdate SIMATIC WinCC to V16.7 or later
HOTFIXUpdate SIMATIC WinCC to V17.7 or later
HOTFIXUpdate SIMATIC WinCC to V18 Update 2 or later
HOTFIXUpdate SIMOCODE ES to V16 Update 7 or later
HOTFIXUpdate SIMOCODE ES to V17 Update 7 or later
HOTFIXUpdate SIMOCODE ES to V18 Update 2 or later
HOTFIXUpdate SIRIUS Safety ES to V17 Update 7 or later
HOTFIXUpdate SIRIUS Safety ES to V18 Update 2 or later
HOTFIXUpdate SIRIUS Soft Starter ES to V17 Update 7 or later
HOTFIXUpdate SIRIUS Soft Starter ES to V18 Update 2 or later
HOTFIXUpdate Soft Starter ES to V16 Update 7 or later
HOTFIXUpdate TIA Portal Cloud to V18 Update 2 or later
Long-term hardening
0/1HARDENINGIsolate engineering workstations from untrusted networks; restrict access to project files to authorized personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f398b309-c926-411b-bb4e-e1e7fc7b630d