Session-Memory Deserialization Vulnerability in Siemens Engineering Platforms Before V19

Plan Patch7.3SSA-871035Nov 12, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Siemens engineering platforms contain a deserialization vulnerability in file parsing that does not properly sanitize user-controllable input. When a user opens a specially crafted file, the application fails to validate the data type and allows an attacker to trigger type confusion, resulting in arbitrary code execution within the application. Affected products include SIMATIC STEP 7, WinCC, WinCC Unified, PLCSIM, SIMOCODE ES, SIRIUS safety and soft starter modules, SIMOTION SCOUT TIA, SINAMICS Startdrive, and TIA Portal Cloud across versions V16 through V18.

What this means

What could happen

An attacker with access to an engineering workstation could craft a malicious file that, when opened in a Siemens engineering tool, executes arbitrary code within the application. This could allow modification of PLC logic, safety configurations, or operator interface settings without detection.

Who's at risk

This affects Siemens engineering and programming platforms used in manufacturing and process automation: STEP 7 (PLC programming), WinCC (HMI/SCADA), TIA Portal Cloud, PLCSIM (PLC simulator), and motor control engineering tools. Any organization using these tools on engineering workstations is affected. V16 products and some V18 products have no fixes available and should be treated as elevated risk.

How it could be exploited

An attacker sends a crafted file (project file, configuration, or session file) to an engineer. When the engineer opens the file in an affected Siemens engineering tool (STEP 7, WinCC, etc.), the tool deserializes the malicious content without proper validation, triggering type confusion. This allows arbitrary code execution in the context of the application and engineer's credentials.

Prerequisites

Access to send files to engineering staff (email, shared drive, USB, etc.)
An engineer must open the malicious file in an affected Siemens tool
The affected Siemens engineering tool must be installed on the workstation

Requires user interaction (file must be opened)Local access required to engineering workstationHigh impact if exploited (arbitrary code execution)No patch available for V16 versions and multiple V17/V18 productsEngineering staff are common social engineering targetsCan affect safety system configurations if opened in safety-critical tools

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (30)

11 with fix19 pending

ProductAffected VersionsFix Status

SIMATIC S7-PLCSIM V16All versionsNo fix yet

SIMATIC S7-PLCSIM V17All versionsNo fix yet

SIMATIC STEP 7 Safety V16All versionsNo fix yet

SIMATIC STEP 7 Safety V17All versions < V17 Update 817 Update 8

SIMATIC STEP 7 Safety V18All versions < V18 Update 518 Update 5

Remediation & Mitigation

0/16

Do now

0/2

WORKAROUNDRestrict file sharing and email attachment handling on engineering workstations; require verification of file origin before opening

HARDENINGFor products with no fixes available (V16 versions, SINAMICS Startdrive, SIMOTION SCOUT TIA, SIRIUS Safety ES V18, SIRIUS Soft Starter ES V18), educate engineers not to open files from untrusted sources

Schedule — requires maintenance window

0/13

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGImplement network segmentation to limit access to engineering workstations from untrusted networks

CVEs (1)

CVE-2023-32736

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close