Siemens has an update available to handle an improper authorization vulnerability in its Siemens Network Planner (SINETPLAN), according to a report with CISA.
Successful exploitation of this vulnerability, which Siemens self-reported, could allow information disclosure, code execution, and denial-of-service. An automation systems planner, SINETPLAN Version 2.0 suffers from the issue.
The integrated configuration web application allows the execution of certain application commands without proper authentication.
CVE-2019-10915 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.0.
The product sees use mainly in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Siemens recommends users update TIA Administrator to Version 1.0 SP1 Upd1.
Siemens identified the following specific workarounds and mitigations to apply to reduce the risk: Restrict access to Port 8888/TCP to localhost.
As a general security measure, Siemens recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for industrial security, and follow the recommendations in the product manuals.
Click here or additional information on industrial security by Siemens.
For more information, see Siemens Security Advisory SSA-834884.