Multiple Vulnerabilities in the UMC Component
Monitor6.7SSA-841348Jul 14, 2020
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities in the UMC component affect multiple Siemens products. The vulnerabilities could allow an attacker to cause a partial denial-of-service (DoS) of the UMC component or, if the attacker already has administrative privileges on the affected machine, locally escalate privileges to execute code with SYSTEM level privileges.
What this means
What could happen
An attacker with local administrative access could gain SYSTEM-level privileges and run arbitrary code on the affected system, potentially stopping production applications or altering manufacturing parameters. In manufacturing environments, disruption to MES or engineering workstations could halt production scheduling and control system configuration.
Who's at risk
Manufacturing operations teams, automation engineers, and plant IT staff managing Siemens MES platforms (Opcenter suite), engineering tools (SIMATIC STEP 7 TIA Portal, SIMOCODE ES, Soft Starter ES), production control systems (SIMATIC PCS neo, SIMATIC IT), and condition monitoring systems (SIMATIC Notifier Server). This impacts anyone using these Siemens engineering, manufacturing execution, or production suite products for process automation and planning.
How it could be exploited
An attacker with local administrative credentials on a machine running the vulnerable UMC component can exploit these vulnerabilities to escalate to SYSTEM privileges without user interaction. Once SYSTEM privileges are obtained, the attacker can run arbitrary code, manipulate production data, or shut down the application.
Prerequisites
- Local access to the affected machine
- Valid administrative credentials on the affected machine
- UMC component installed and running
requires administrative credentialslocal exploitation onlylow complexity attackaffects engineering and MES systemsno patch available for SIMATIC Notifier Server
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (16)
15 with fix1 EOL
ProductAffected VersionsFix Status
Opcenter Execution Discrete< V3.23.2
Opcenter Execution Foundation< V3.23.2
Opcenter Execution Process< V3.23.2
Opcenter Intelligence< V3.33.3
Opcenter Quality< V11.311.3
Remediation & Mitigation
0/16
Schedule — requires maintenance window
0/15Patching may require device reboot — plan for process interruption
Opcenter Execution Discrete
HOTFIXUpdate Opcenter Execution Discrete to version 3.2 or later
Opcenter Execution Foundation
HOTFIXUpdate Opcenter Execution Foundation to version 3.2 or later
Opcenter Execution Process
HOTFIXUpdate Opcenter Execution Process to version 3.2 or later
Opcenter Intelligence
HOTFIXUpdate Opcenter Intelligence to version 3.3 or later
Opcenter Quality
HOTFIXUpdate Opcenter Quality to version 11.3 or later
Opcenter RD&L
HOTFIXUpdate Opcenter RD&L to version 8.1 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to version 3.0 SP1 or later
SIMATIC STEP 7 (TIA Portal) V15
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V15 to version 15.1 Update 5 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V16 to version 16 Update 2 or later
SIMOCODE ES V15.1
HOTFIXUpdate SIMOCODE ES V15.1 to version 15.1 Update 4 or later
SIMOCODE ES V16
HOTFIXUpdate SIMOCODE ES V16 to version 16 Update 1 or later
Soft Starter ES V15.1
HOTFIXUpdate Soft Starter ES V15.1 to version 15.1 Update 3 or later
Soft Starter ES V16
HOTFIXUpdate Soft Starter ES V16 to version 16 Update 1 or later
SIMATIC IT LMS
HOTFIXUpdate SIMATIC IT LMS to version 2.6 or later
SIMATIC IT Production Suite
HOTFIXUpdate SIMATIC IT Production Suite to version 8.0 or later
Mitigations - no patch available
0/1SIMATIC Notifier Server for Windows has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor SIMATIC Notifier Server for Windows (all versions), implement local access controls and restrict administrative account usage to limit exposure to privilege escalation until an update becomes available
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c3ae6967-f96b-4e13-8326-50649eec700f