Deserialization Vulnerability in SIMATIC STEP 7 (TIA Portal) before V18 Update 2
Plan Patch7.8SSA-825651Jul 9, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause type confusion and execute arbitrary code within SIMATIC STEP 7 (TIA Portal) V16, V17, V18 (before Update 2) and SIMATIC PCS neo V4.0. Siemens has released a fix for STEP 7 V18 (V18 Update 2 and later). No fixes are available for V16, V17, or PCS neo V4.0.
What this means
What could happen
An attacker who can interact with the engineering workstation running SIMATIC STEP 7 or PCS neo could execute arbitrary code on that system, potentially allowing them to modify control logic, alter PLC programs, or insert malicious logic into industrial systems.
Who's at risk
This affects engineering teams using SIMATIC STEP 7 (TIA Portal) for PLC programming and configuration. Specifically: organizations running V16 or V17 have no patch available and must rely on operational controls; organizations running V18 can patch to Update 2 or later; and organizations using SIMATIC PCS neo V4.0 have no patch available. The risk is primarily to the engineering workstations themselves, not directly to PLCs or field devices, but a compromised workstation could be used to inject malicious code into production control systems.
How it could be exploited
An attacker must deliver a specially crafted file or input to a user of the affected TIA Portal application. When the user opens or processes the malicious file, the .NET deserialization vulnerability is triggered, causing the application to instantiate arbitrary code objects. Since this requires user interaction (opening a file), the attack vector is local, not remote network-based.
Prerequisites
- User must be running SIMATIC STEP 7 (TIA Portal) V16, V17, or V18 before Update 2, or SIMATIC PCS neo V4.0
- Attacker must deliver a malicious file (likely a TIA project, archive, or data file) to the engineering workstation
- User must open or process the malicious file in the affected application
Requires user interaction (opening a file)Low complexity exploitationAffects software engineering environment (high impact if compromised)No fix available for V16, V17, and PCS neo V4.0
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
1 with fix3 EOL
ProductAffected VersionsFix Status
SIMATIC STEP 7 V18All versions < V18 Update 218 Update 2
SIMATIC STEP 7 V17All versionsNo fix (EOL)
SIMATIC STEP 7 V16All versionsNo fix (EOL)
SIMATIC PCS neo V4.0All versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDEducate engineering staff to avoid opening TIA projects or imported files from untrusted sources until a patch is available for their product version
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V18 installations to V18 Update 2 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC STEP 7 V17, SIMATIC STEP 7 V16, SIMATIC PCS neo V4.0. Apply the following compensating controls:
HARDENINGFor SIMATIC STEP 7 V16 and V17, and SIMATIC PCS neo V4.0 with no announced fix, isolate engineering workstations from untrusted file sources and implement strict file validation procedures before opening TIA projects from external sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/eab0c1e4-edf5-49c7-a1d2-6127cd08bdad