-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-121293: Code Upload Vulnerability in SIMATIC WinCC and SIMATIC PCS 7 Publication Date: 2019-07-09 Last Update: 2019-10-08 Current Version: 1.3 CVSS v3.0 Base Score: 7.2 SUMMARY ======= The latest update for SIMATIC WinCC fixes a vulnerability in the SIMATIC WinCC DataMonitor web application of the affected products that allows to upload arbitrary ASPX code. An attacker has to be authenticated with a valid user account. The vulnerability is only relevant for scenarios where access via the web interface is feasible for an attacker while access to the directory structure is not. Siemens has released updates for several affected products, and recommends that customers update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available. AFFECTED PRODUCTS AND SOLUTION ============================== * SIMATIC PCS 7 V8.0 and earlier - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC PCS 7 V8.1 - Affected versions: All versions < V8.1 with WinCC V7.3 Upd 19 - Remediation: Update WinCC to V7.3 Upd 19 - Download: https://support.industry.siemens.com/cs/ww/en/view/109768972 * SIMATIC PCS 7 V8.2 - Affected versions: All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11 - Remediation: Update WinCC to V7.4 SP1 Upd 11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109768093 * SIMATIC PCS 7 V9.0 - Affected versions: All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11 - Remediation: Update WinCC to V7.4 SP1 Upd 11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109768093 * SIMATIC WinCC Professional (TIA Portal V13) - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC WinCC Professional (TIA Portal V14) - Affected versions: All versions < V14 SP1 Upd 9 - Remediation: Update to V14 SP1 Upd 9 - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC WinCC Professional (TIA Portal V15) - Affected versions: All versions < V15.1 Upd 3 - Remediation: Update to V15.1 Upd 3 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763890 * SIMATIC WinCC Runtime Professional V13 - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC WinCC Runtime Professional V14 - Affected versions: All versions < V14.1 Upd 8 - Remediation: Update to V14.1 Upd 8 - Download: https://support.industry.siemens.com/cs/ww/en/view/109747394 * SIMATIC WinCC Runtime Professional V15 - Affected versions: All versions < V15.1 Upd 3 - Remediation: Update to V15.1 Upd 3 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763892 * SIMATIC WinCC V7.2 and earlier - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC WinCC V7.3 - Affected versions: All versions < V7.3 Upd 19 - Remediation: Update to V7.3 Upd 19 - Download: https://support.industry.siemens.com/cs/ww/en/view/109768972 * SIMATIC WinCC V7.4 - Affected versions: All versions < V7.4 SP1 Upd 11 - Remediation: Update to V7.4 SP1 Upd 11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109768093 * SIMATIC WinCC V7.5 - Affected versions: All versions < V7.5 Upd 3 - Remediation: Update to V7.5 Upd 3 - Download: https://support.industry.siemens.com/cs/ww/en/view/109767227 WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Apply Defense-in-Depth GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system. SIMATIC WinCC Runtime Professional is a visualization runtime platform used for operator control and monitoring of machines and plants. SIMATIC PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC and other components. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. * Vulnerability CVE-2019-10935 The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known. CVSS v3.0 Base Score: 7.2 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * CNCERT/CC for coordination efforts * Xuchen Zhu from ZheJiang Guoli Security Technology for coordinated disclosure ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2019-07-09): Publication Date V1.1 (2019-08-13): Added update for SIMATIC WinCC V7.3, SIMATIC PCS 7 V8.1, and SIMATIC WinCC Runtime Professional V14 V1.2 (2019-09-10): Added update for SIMATIC WinCC Runtime Professional V15 V1.3 (2019-10-08): Updated remediation for SIMATIC WinCC Runtime Professional V15 and added update for SIMATIC WinCC Professional (TIA Portal V14) and SIMATIC WinCC Professional (TIA Portal V15) TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJdm9GAAAoJENP0geoRSq/kwd4P/0IuwF1Jl8Tj36gjIiu2sTUP an8HeaPYPCLebSjUdxp3C8qNfnpkLUM8I2EDcTqVAzEjJeNlfoQ7FX7u4LdBPCeg prjpGmwkiRty3JCXL5sGpJQf+OOCZKHugRgYRnppwfjVVL5Bha3irIuKSLi2EcSW hF0t+52kLOIfow9krXSUpzm4i5oPy+HTHJSWnOxZHY3MWY+ElwzR+JlG0SeOmgSv 4dcmkYCeZYwhTQY4x50OloTNbpt5oJHYeKifCdKpL4eyVKCIKTkE2oros8mrAQUj 22CX63iSqg1+bBpAlUJFrEN2JYz+ey+8unNDx80AS4BSbRpJKFGLfLK/9v2NHts8 JySa70eehPhSCOvJe1ZHeWP94LNuf4AJqruHqm1sLBa0n4LW6hf3A3Vxfkx0LSa/ U/zPZP20UcNRl5Hx24ir+gEBStELx6tbwO396Hndfq8z8bYbZNCGGUaSpMOj6ihO UuaW5jCHprFsIzqp6Hv0ZgLXi5ERMl1M7K3GvfvjYAv464gpzEKTE9IFGJJF6JLo ffXFYEEr5laGHyh1LeL48Ramc+JjROyEJYaNbxn/xNYsSjDrPCcuah8fbLyw5/0n RL6DalYGjkH2jVEhwsFiM9SNt7Z7NuHw1WnceCuDpWYDrJKnWKUpcDVaxJRqMjQp vQy5yxSBGqXBfByRrEBf =IAhj -----END PGP SIGNATURE-----