Out of Bounds Read Vulnerability in Industrial Products
Monitor6.5SSA-962515May 14, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Out of bounds read vulnerability in Siemens industrial software allows an attacker with local access to trigger a Blue Screen of Death (BSOD) crash of the Windows kernel, causing denial of service. Affected products include WinCC runtime, TIA Portal, SIMATIC automation tools, SINAMICS Startdrive, and related engineering platforms. An attacker can read memory outside intended buffer boundaries and crash the system. Siemens has released patches for some affected versions; several products remain unpatched (end-of-life or no fix planned).
What this means
What could happen
An attacker with local access to an engineering workstation or HMI/SCADA host could crash the Windows system running WinCC, TIA Portal, or other Siemens tools, stopping engineering work, interrupting process monitoring, or disabling operator interfaces until the system is rebooted.
Who's at risk
Manufacturing facilities using Siemens engineering and automation platforms should prioritize this vulnerability. Affected users include operators of WinCC HMI/SCADA systems, engineers running TIA Portal or SIMATIC development tools, systems using SINAMICS motor control, SINUMERIK CNC machines, and facilities running PCS 7 or BATCH process control systems. Any organization with Windows-based engineering workstations or HMI servers running these Siemens products is at risk.
How it could be exploited
An attacker with a local account on an engineering workstation or HMI running affected Siemens software crafts input or triggers a specific code path that causes an out-of-bounds memory read in the kernel, triggering a BSOD. The attack requires prior access to the machine (local user account or interactive login).
Prerequisites
- Local user account on the affected Windows system
- Ability to run code or interact with affected Siemens software on the local machine
- Affected Siemens software installed and vulnerable version running
Local access required (reduces exposure)Low complexity attackCauses denial of service (system crash)Multiple products affectedSeveral products have no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (32)
26 with fix6 pending
ProductAffected VersionsFix Status
Security Configuration Tool (SCT)All versionsNo fix yet
SIMATIC Automation ToolAll versions < V5.0 SP25.0 SP2
SIMATIC BATCH V9.1All versions < V9.1 SP2 Upd59.1 SP2 Upd5
SIMATIC NET PC Software V16All versions < V16 Update 816 Update 8
SIMATIC NET PC Software V17All versionsNo fix yet
Remediation & Mitigation
0/23
Do now
0/1SIMATIC WinCC V7.4
WORKAROUNDFor unpatched products (TIA Portal V15.1, V16, SIMATIC WinCC V7.4, WinCC OA V3.17, NET PC Software V17, Security Configuration Tool), implement compensating controls such as physical security on engineering workstations and access control restrictions
Schedule — requires maintenance window
0/21Patching may require device reboot — plan for process interruption
SIMATIC WinCC Runtime Professional V16
HOTFIXUpdate SIMATIC WinCC Runtime Professional V16 to Version 16 Update 6 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC WinCC Runtime Advanced and SIMATIC NET PC Software V16 to Version 16 Update 8 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC WinCC Runtime Professional V17, SIMATIC NET PC Software V17, and Totally Integrated Automation Portal (TIA Portal) V17 to Version 17 Update 8 or later
SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 and Totally Integrated Automation Portal (TIA Portal) V18 to Version 18 Update 4 or later
SIMATIC NET PC Software V18
HOTFIXUpdate SIMATIC NET PC Software V18 to Version 18 SP1 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to Version 7.5 SP2 Update 17 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Version 8.0 Update 5 or later
SIMATIC BATCH V9.1
HOTFIXUpdate SIMATIC BATCH V9.1 to Version 9.1 SP2 Upd5 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to Version 9.1 SP2 UC05 or later
SIMATIC WinCC OA V3.18
HOTFIXUpdate SIMATIC WinCC OA V3.18 to Version 3.18 P025 or later
SIMATIC WinCC OA V3.19
HOTFIXUpdate SIMATIC WinCC OA V3.19 to Version 3.19 P010 or later
SIMATIC PDM V9.2
HOTFIXUpdate SIMATIC PDM V9.2 to Version 9.2 SP2 Upd3 or later
SIMATIC Route Control V9.1
HOTFIXUpdate SIMATIC Route Control V9.1 to Version 9.1 SP2 Upd3 or later
SIMATIC S7-PCT
HOTFIXUpdate SIMATIC S7-PCT to Version 3.5 SP3 Update 6 or later
SIMATIC STEP 7 V5
HOTFIXUpdate SIMATIC STEP 7 V5 to Version 5.7 SP3 or later
SIMATIC Automation Tool
HOTFIXUpdate SIMATIC Automation Tool to Version 5.0 SP2 or later
SINAMICS Startdrive
HOTFIXUpdate SINAMICS Startdrive to Version 19 SP1 or later
SINUMERIK ONE virtual
HOTFIXUpdate SINUMERIK ONE virtual to Version 6.23 or later
SINUMERIK PLC Programming Tool
HOTFIXUpdate SINUMERIK PLC Programming Tool to Version 3.3.12 or later
TIA Portal Cloud Connector
HOTFIXUpdate TIA Portal Cloud Connector to Version 2.0 or later
Totally Integrated Automation Portal (TIA Portal) V15.1
HOTFIXUpdate Totally Integrated Automation Portal (TIA Portal) V19 to Version 19 Update 2 or later
Long-term hardening
0/1HARDENINGRestrict local access to engineering workstations and HMI systems to authorized personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a1a24618-384f-4660-8211-64b59d60504b