-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-312271: Unquoted Search Path Vulnerability in Windows-based Industrial Software Applications Publication Date: 2020-06-09 Last Update: 2022-12-13 Current Version: 2.1 CVSS v3.1 Base Score: 8.8 SUMMARY ======= Several industrial products as listed below contain a local privilege escalation vulnerability that could allow a local attacker to execute arbitrary code with SYTEM privileges. Siemens has released updates for the affected products and recommends to update to the latest versions. AFFECTED PRODUCTS AND SOLUTION ============================== * SIMATIC Automation Tool - Affected versions: All versions < V4 SP2 - Remediation: Update to V4 SP2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/98161300/ * SIMATIC NET PC Software V14 - Affected versions: All versions < V14 SP1 Update 14 - Remediation: Update to V14 SP1 Update 14 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109807351/ * SIMATIC NET PC Software V15 - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC NET PC Software V16 - Affected versions: All versions < V16 Upd3 - Remediation: Update to V16 Upd3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109780209/ * SIMATIC PCS neo - Affected versions: All versions < V3.0 SP1 - Remediation: Update to V3.0 SP1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: To obtain SIMATIC PCS neo V3.0 SP1 contact your local support. * SIMATIC ProSave - Affected versions: All versions < V17 - Remediation: Update to V17 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/10347815/ Note: Some versions of SIMATIC ProSave are not available as separate download (e.g. V17). In this case, use the version of SIMATIC ProSave as bundled with the corresponding version of SIMATIC WinCC (TIA Portal). * SIMATIC S7-1500 Software Controller - Affected versions: All versions < V21.8 - Remediation: Update to V21.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109478528/ * SIMATIC STEP 7 (TIA Portal) V13 - Affected versions: All versions < V13 SP2 Update 4 - Remediation: Update to V13 SP2 Update 4 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109759753/ * SIMATIC STEP 7 (TIA Portal) V14 - Affected versions: All versions < V14 SP1 Update 10 - Remediation: Update to V14 SP1 Update 10 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC STEP 7 (TIA Portal) V15 - Affected versions: All versions < V15.1 Update 5 - Remediation: Update to V15.1 Update 5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109763890/ * SIMATIC STEP 7 (TIA Portal) V16 - Affected versions: All versions < V16 Update 2 - Remediation: Update to V16 Update 2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109775861/ * SIMATIC STEP 7 V5 - Affected versions: All versions < V5.6 SP2 HF3 - Remediation: Update to V5.6 SP2 HF3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109779992/ * SIMATIC WinCC OA V3.16 - Affected versions: All versions < V3.16 P018 - Remediation: Update to V3.16 P018 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://www.winccoa.com/downloads/category/versions- patches.html * SIMATIC WinCC OA V3.17 - Affected versions: All versions < V3.17 P003 - Remediation: Update to V3.17 P003 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://www.winccoa.com/downloads/category/versions- patches.html * SIMATIC WinCC Runtime Advanced - Affected versions: All versions < V16 Update 2 - Remediation: Update to V16 Update 2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109776018/ * SIMATIC WinCC Runtime Professional V13 - Affected versions: All versions < V13 SP2 Update 4 - Remediation: Update to V13 SP2 Update 4 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109759782/ * SIMATIC WinCC Runtime Professional V14 - Affected versions: All versions < V14 SP1 Update 10 - Remediation: Update to V14 SP1 Update 10 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109747394/ * SIMATIC WinCC Runtime Professional V15 - Affected versions: All versions < V15.1 Update 5 - Remediation: Update to V15.1 Update 5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109763892/ * SIMATIC WinCC Runtime Professional V16 - Affected versions: All versions < V16 Update 2 - Remediation: Update to V16 Update 2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109776017/ * SIMATIC WinCC V7.4 - Affected versions: All versions < V7.4 SP1 Update 14 - Remediation: Update to V7.4 SP1 Update 14 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109779373/ * SIMATIC WinCC V7.5 - Affected versions: All versions < V7.5 SP1 Update 3 - Remediation: Update to V7.5 SP1 Update 3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109773812/ * SINAMICS Startdrive - Affected versions: All Versions < V16 Update 3 - Remediation: Update to V16 Update 3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109781202/ * SINAMICS STARTER - Affected versions: All Versions < V5.4 HF2 - Remediation: Update to V5.4 HF2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109782792/ * SINEC NMS - Affected versions: All versions < V1.0 SP2 - Remediation: Update to version V1.0 SP2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109797645/ * SINEMA Server - Affected versions: All versions < V14 SP3 - Remediation: Update to V14 SP3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109801374/ * SINUMERIK ONE virtual - Affected versions: All Versions < V6.14 - Remediation: Update to V6.14 or later version See further recommendations from section "Workarounds and Mitigations" - Download: The update can be obtained from Siemens representative or via Siemens customer service * SINUMERIK Operate - Affected versions: All Versions < V6.14 - Remediation: Update to V6.14 or later version See further recommendations from section "Workarounds and Mitigations" - Download: The update can be obtained from Siemens representative or via Siemens customer service WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Make sure that there is no executable at the following locations: - C:\\Program.exe, * C:\\Program\ Files\\Common.exe, or * C:\\Program\ Files\\Common\ Files\\Siemens\\Automation\\Simatic.exe * Deactivate the Windows service called TraceConceptX. This leads to loss of tracing functionality and should only be considered as a temporary workaround. Product-specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMATIC Automation Tool allows commissioning, adjusting and service in combination with S7-1200 and S7-1500 Controllers without engineering framework. SIMATIC NET PC software is a software product that is sold separately and implements the communications product from SIMATIC NET. SIMATIC PCS neo is a distributed control system (DCS). SIMATIC ProSave is used for backup restore and firmware update for SIMATIC HMI panels. SIMATIC S7-1500 Software Controller is a SIMATIC software controller for PC-based automation solutions. SIMATIC STEP 7 (TIA Portal) is an engineering software to configure and program SIMATIC controllers. SIMATIC STEP 7 V5 is the classic engineering software to configure and program SIMATIC S7-300/S7-400/C7/WinAC controllers. SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system. SIMATIC WinCC Open Architecture (OA) is part of the SIMATIC HMI family. It is designed for use in applications requiring a high degree of customer-specific adaptability, large or complex applications and projects that impose specific system requirements or functions. SIMATIC WinCC Runtime Advanced is a visualization runtime platform used for operator control and monitoring of machines and plants. SIMATIC WinCC Runtime Professional is a visualization runtime platform used for operator control and monitoring of machines and plants. SINAMICS Startdrive commissioning software is the engineering tool for integration of SINAMICS drives in TIA Portal. SINEC NMS is a new generation of the Network Management System (NMS) for the Digital Enterprise. This system can be used to centrally monitor, manage, and configure networks. SINEMA Server is a network monitoring and management software designed by Siemens for use in Industrial Ethernet networks. SINUMERIK CNC offers automation solutions for the shop floor, job shops and large serial production environments. SINUMERIK Operate is a standard Human-Machine-Interface system for SINUMERIK numerical controls. STARTER is the drive engineering tool for parameterizing and commissioning. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2020-7580 A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. This could allow a local attacker to execute arbitrary code with SYTEM privileges. CVSS v3.1 Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-428: Unquoted Search Path or Element ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * INCIBE for coordination efforts * Ander Martinez from Titanium Industrial Security for reporting the vulnerability ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2020-06-09): Publication Date V1.1 (2020-07-14): Added solutions for SIMATIC STEP 7 V13, SIMATIC STEP 7 V16, SIMATIC WinCC Runtime Professional V13, SIMATIC WinCC Runtime Professional V16 and SIMATIC WinCC Runtime Advanced V1.2 (2020-08-11): Added solution for SIMATIC PCS neo. Errata: SIMATIC PCS 7 removed from affected products V1.3 (2020-09-08): Added solution for SINAMICS Startdrive, SIMATIC STEP 7 (TIA Portal) V15, and SIMATIC WinCC Runtime Professional V15 V1.4 (2020-12-08): Added solution for SIMATIC S7-1500 Software Controller and SINAMICS STARTER V1.5 (2021-01-12): Added solution for SIMATIC STEP 7 (TIA Portal) V14 and SIMATIC WinCC Runtime Professional V14 V1.6 (2021-03-09): Added solution for SINUMERIK ONE Virtual and SINUMERIK Operate V1.7 (2021-06-08): Added solution for SIMATIC Automation Tool and updated solution for SINEC NMS V1.8 (2021-09-14): Updated solution for SINEMA Server V1.9 (2021-11-09): Added solution for SIMATIC ProSave V2.0 (2022-04-12): Added solution for SIMATIC NET PC Software V14 and clarified affected versions V2.1 (2022-12-13): Corrected description and CVSS score for CVE-2020-7580 TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2022 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmOXwIAACgkQlm7gTEmy ujRDZxAAlhoGRhwow1T+0jiT/jEGY1IROINDew5x0DIO7hPptkttQUwhJ6sJmMU1 bT3y1qjXU4DC0zf7tx+T6PA8bi8ezV88EDzdjizN3GdXZYMpdX3NV7baMPOhuza2 /n78L50lHHgSi3vPemwtzeyndo0MQu8ksCYlQmlXYAJvL/2BP5Psz9+DSwMjMIj9 iPqeFJ5iBL2DP2AO12Ql5e3iUZ1NCkeB8qlzFZPdWegVegQKow3EhKq6Gx+CjnZn WFRQku3CpSznCo6h4t9g3DwLIxwiflezGh16gi81QDzpAY2fDD5qDq/yE1u+Fdvm ZsZdGCwvBMCTWjdf8zPpcrAtlOfNoEc60x4s5eeJsB2VaOsQjkSLhmP41mE/BQWw EITiMFzF2+5QVSu8M3kpHXQjYnKJzf4V9KGqwl11vNJtN7bPwwr50yX5WOhAqCEJ 2Wnri+17dIotBw9k7+xb+Qp1dakcU/KA/5Q6G8HEvO4CYgL694or0KsSDyPJfLZv ye/q99F0R/lmfAQfwQsQImQLjhQ4H2uF7l3Zq4rtlaWpCBvLGmaLPv0/j13ad23l c3Cmv9OSmHT9z9kg228+XvHqnvr3di5lOZb54e3XnNyDFZbSS0i7drmLOnCHHYo+ thK4oMEhDUATIiMdce3Rzwk90wdUq+3SJKocGotd+Yb3xhmDMo0= =LFdv -----END PGP SIGNATURE-----