Siemens has workarounds and mitigations in place to handle an uncontrolled search path element vulnerability in its TD Keypad Designer, according to a report with NCCIC.
Successful exploitation of this vulnerability, which Siemens self-reported, could allow a local low-privileged attacker to escalate their privileges.
All versions of TD Keypad Designer suffer from the vulnerability.
A DLL hijacking vulnerability exists in all versions of SIEMENS TD Keypad Designer which could allow an attacker to execute code with the permission of the user running TD Designer. The attacker must have write access to the directory containing the TD project file in order to exploit the vulnerability. A legitimate user with higher privileges than the attacker must open the TD project in order for this vulnerability to be exploited.
CVE-2018-13806 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees use in the chemical, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable. However, an attacker with low skill level could leverage the vulnerability.
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:
• Restrict write permissions to directories with TD project files to authorized users
• Only open TD projects from trusted sources
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals.
Click here for additional information on industrial security by Siemens.
For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-198330.