-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-198330: Local Privilege Escalation in TD Keypad Designer

Publication Date:        2018-09-11
Last Update:             2018-09-11
Current Version:         1.0
CVSS v3.0 Base Score:    7.3

SUMMARY
=======

All versions of the TD Keypad Designer for printing customized
lamination sheets for Text Display devices are affected by a DLL
hijacking vulnerability that could allow a local low-privileged attacker
to escalate his privileges.

Text Display devices and TD Keypad Designer have been discontinued in
2012 and were replaced by KTP Basic with option Express Design.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIEMENS TD Keypad Designer 
  - Affected versions:
       All versions
  - Remediation:
        See recommendations from section Workaround and Mitigations


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Restrict write permissions to directories with TD project files to
authorized users.
  
* Only open TD projects from trusted sources.
  


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

TD Keypad Designer is a tool for printing customized lamination sheets
for Text Display devices.



VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS 
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be 
individually defined by the customer to accomplish final scoring.


* Vulnerability CVE-2018-13806

  A DLL hijacking vulnerability exists in all versions of SIEMENS TD
  Keypad Designer which could allow an attacker to execute code with the
  permission of the user running TD Designer.
  
  The attacker must have write access to the directory containing the TD
  project file in order to exploit the vulnerability. A legitimate user
  with higher privileges than the attacker must open the TD project in
  order for this vulnerability to be exploited.
  
  At the time of advisory publication no public exploitation of this
  security vulnerability was known.

  CVSS v3.0 Base Score: 7.3
  CVSS v3.0 Vector:     CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and 
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2018-09-11): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJblwWAAAoJELtnleqOVdUuaekQAI25QX5z/op9UHhLCrTCqJeL
YK40CMe0izxbGVFiMn/8Xx/Udzh96Gs2ZHACDYTUvwT348B12BTaDsx2slLJBCMP
mcVjegmOUsE8u5cIqUl/Ozl7nX1QrpiyrWXmNmBEu6heh9OfrC4dN6Eh7q/erNDs
pgX1yUCJATeYNrMMMLUVvYJs4TvYUDtrxlUjeNGRlntzH9KZk9IfyeCcl2aqJkEW
cHpSYP0icsIFWQhCwmt9roCMdYKItz+cYkArglT24sv5X/1JmoQqgtDFJX7uPYJ2
6RinDwKPum4kJ4eZ+VSzf2XfKr4FyEDDtDPi60Y37F8F9+HcP6rks9Dx8HVZuYX1
W3FDPMWubTyMzlXt2p/CgM9Vq7ADTP01gk/JSCIFCf8SVcdHRS2S42lnClatphuj
0bQAct5KaIYCxsOKxmG32e5wP4mfiuz5MLTEiIC5j3HK9tAkFLnuIDRCgA88Nn2I
8jL7IL1Xt6+sfezIZ0XmIHbFDHAIl4nad0AceV5tpfCKHWzzQbfOTNr0qo5qZHqh
CHBL0EWhQFKtDbvBL3x5Bw9vYUb9m+it1cbwkq0jZP6gqz84pURNkUgPwlc3/Jsb
6SOr/uW+fv9lrRqSJBM+S7cklIAT6WtNAV6OK5TfE7hqmMreyN1gdSnPa8NjGI5i
s9WQgcISAPhxLuTSAPnI
=tX64
-----END PGP SIGNATURE-----