Siemens has some fixes and working on others to mitigate a code upload vulnerability in the SIMATIC WinCC DataMonitor web application and the SIMATIC PCS 7, according to a report from Siemens ProductCERT.
An attacker has to be authenticated with a valid user account. The vulnerability, discovered by Xuchen Zhu from ZheJiang Guoli Security Technology, is only relevant for scenarios where access via the web interface is feasible for an attacker while access to the directory structure is not.
The issue affects SIMATIC WinCC, SIMATIC, WinCC Runtime Professional, and SIMATIC PCS 7. SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system. SIMATIC WinCC Runtime Professional is a visualization runtime platform used for operator control and monitoring of machines and plants. SIMATIC PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC and other components.
Siemens released updates for several affected products, and recommends customers update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available.
The following products suffer from the vulnerability:
• SIMATIC PCS 7 V8.0 and earlier, all versions
• SIMATIC PCS 7 V8.1, all versions
• SIMATIC PCS 7 V8.2, all versions before V8.2 SP1 with WinCC V7.4 SP1 Upd11 remediation is to update WinCC to V7.4 SP1 Upd 11
• SIMATIC PCS 7 V9.0, all versions before V9.0 SP2 with WinCC V7.4 SP1 Upd11; Remediation is to update WinCC to V7.4 SP1 Upd 11
• SIMATIC WinCC Professional (TIA Portal V13), all versions
• SIMATIC WinCC Professional (TIA Portal V14), all versions
• SIMATIC WinCC Professional (TIA Portal V15), all versions
• SIMATIC WinCC Runtime Professional V13, all versions
• SIMATIC WinCC Runtime Professional V14, all versions
• SIMATIC WinCC Runtime Professional V15, all versions
• SIMATIC WinCC V7.2 and earlier, all versions
• SIMATIC WinCC V7.3, all versions
• SIMATIC WinCC V7.4, all versions before V7.4 SP1 Upd 11, remediation is to update to V7.4 SP1 Upd 11
• SIMATIC WinCC V7.5, all versions below V7.5 Upd 3, remediation is to update to V7.5 Upd 3
The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code.
The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device.
The issue has a case number of CVE-2019-10935, which has a CVSS v3.0 Base Score: 7.2.
There are no attacks ongoing, Siemens said.
Siemens identified the following specific workarounds and mitigations: Apply defense-in-depth.
As a general security measure, Siemens recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security, and to follow the recommendations in the product manuals.
Click here for additional information on Industrial Security by Siemens.