Remote Code Execution Vulnerability in SIMATIC STEP 7 V5.x and Derived Products

Act Now10SSA-968170Jun 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC STEP 7 V5 and SIMATIC PCS 7 contain a vulnerability in their embedded database management system that allows remote code execution. An attacker with network access to the server can leverage database functions to execute arbitrary code with the privileges of the STEP 7 or PCS 7 process. This could enable modification of control logic, alteration of process parameters, or execution of malicious commands against connected industrial devices.

What this means

What could happen

An attacker who can reach the server hosting SIMATIC STEP 7 or PCS 7 engineering software could run arbitrary code on that server, potentially gaining control over the engineering environment and the industrial processes it manages.

Who's at risk

This affects organizations that run SIMATIC STEP 7 V5 engineering environments or SIMATIC PCS 7 systems for automating industrial processes. Primary concerns are plants with centralized engineering workstations and shared database servers, especially those with networked automation infrastructure like chemical plants, water treatment facilities, power plants, and large manufacturing sites.

How it could be exploited

The vulnerability is in the embedded database management system used by STEP 7 and PCS 7. An attacker on the network can call database functions directly to execute code with the privileges of the STEP 7 or PCS 7 process. This could allow modification of program logic, controller settings, or creation of new control commands.

Prerequisites

Network access to the server running SIMATIC STEP 7 or PCS 7
The database management system must be reachable from the attacker's location on the network

Remotely exploitableNo authentication requiredLow complexity attackCVSS 10 criticalAffects engineering environment controlling production systems

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC PCS 7All versions < V9.1 SP2 UC049.1 SP2 UC04

SIMATIC S7-PMAll versions < V5.7 SP1 HF15.7 SP1 HF1

SIMATIC S7-PMAll versions < V5.7 SP2 HF15.7 SP2 HF1

SIMATIC STEP 7 V5<V5.75.7

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to STEP 7 and PCS 7 servers using firewall rules—only allow engineering workstations and authorized administrators to reach port 502 and Siemens database ports

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V5

HOTFIXUpdate SIMATIC STEP 7 V5 to version 5.7 or later

SIMATIC S7-PM

HOTFIXUpdate SIMATIC S7-PM to version 5.7 SP1 HF1 or later

HOTFIXUpdate SIMATIC S7-PM to version 5.7 SP2 HF1 or later

SIMATIC PCS 7

HOTFIXUpdate SIMATIC PCS 7 to version 9.1 SP2 UC04 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate engineering workstations from production networks and untrusted network segments

CVEs (1)

CVE-2023-25910

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1f414c03-1ceb-4bd4-a2c5-496ad323cff3