-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-363107: An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk
Mode

Publication Date:        2022-05-10
Last Update:             2022-06-14
Current Version:         1.1
CVSS v3.1 Base Score:    7.8

SUMMARY
=======

A vulnerability was found in SIMATIC WinCC that could allow
authenticated attackers to escape the Kiosk Mode.

Siemens has released updates for several affected products and
recommends to update to the latest versions. Siemens recommends specific
countermeasures for products where updates are not, or not yet
available.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC PCS 7 V9.0 and earlier
  - Affected versions:
       All versions
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC PCS 7 V9.1
  - Affected versions:
       All versions < V9.1 SP1 UC01
  - Remediation:
       Update to V9.1 SP1 UC01 or later version
       Update SIMATIC WinCC to V7.5 SP2 Update 8 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109805072/

* SIMATIC WinCC Runtime Professional V16 and earlier
  - Affected versions:
       All versions
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC WinCC Runtime Professional V17
  - Affected versions:
       All versions < V17 Upd4
  - Remediation:
       Update to V17 Upd4 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109800913/

* SIMATIC WinCC V7.4 and earlier
  - Affected versions:
       All versions
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC WinCC V7.5
  - Affected versions:
       All versions < V7.5 SP2 Update 8
  - Remediation:
       Update to V7.5 SP2 Update 8 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109793460/


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* At least one default printer (but not a file based printer, as
e.g. PDF/XPS printer) should be installed on the affected system

* No file based printer, as e.g. PDF/XPS printers, should be installed on
the affected system

* Harden the application's host to prevent local access by untrusted
personnel


Product specific remediations or mitigations can be found in the section
"Affected Products and Solution".

Please follow the "General Security Recommendations".


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SIMATIC PCS 7 is a distributed control system (DCS) integrating SIMATIC
WinCC, SIMATIC Batch, SIMATIC Route Control, OpenPCS7 and other
components.

SIMATIC WinCC is a supervisory control and data acquisition (SCADA)
system.

SIMATIC WinCC Runtime Professional is a visualization runtime platform
used for operator control and monitoring of machines and plants.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2022-24287

  An authenticated attacker could escape the WinCC Kiosk Mode by opening
  the printer dialog in the affected application in case no printer is
  installed.

  CVSS v3.1 Base Score: 7.8
  CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-1188: Insecure Default Initialization of Resource




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2022-05-10): Publication Date
V1.1 (2022-06-14): Updated fix for SIMATIC PCS 7 V9.1 and added fix for SIMATIC WinCC
Runtime Professional V17

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2022
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmKnz4AACgkQlm7gTEmy
ujTWrg//UVXcq+7dMgq+2LlSEXo1jGE/kmMxft/plGwodMyXrMGwgf3xRDG49EUS
b3J/SQGNzucc65b+b6i6vM+C5fLW3KPr0Mn3zGux/hbTcZkrNa20x3Tw1z5n8csF
XtZk7UISgDVJmO9qVf8uTBmniVbXUBng4fWqhXgZ68uDoJ6lMNSyoL8B31rZSi5L
7fsjLJm+LIMmp4AQUpZLmWkKUGHmt2w56jFXtNbFf+mFXGTa81qlMs84pxBPqahZ
0OPjEUeK0Yx9sfCxHH6p3PIZpp5pzXJZ11YzNX73R6fS8lSMT/Rp4PqbAjqKpnRM
9/Hrs9J+MfoZFkYvrtQOu8XdDkdnHM1Nbwl10Ss7Hz3x3Uh++i+Q0pjE1LC7z8O/
F5q7j4lr8Q4X/ERyvoA7Lws/sGtZniojK+1h1FznmiOoXX59aRmP9zwHZISyOLlP
6F2ODsZKGkMoDdNhtqd/G5xVXf/4a33V6gyAvxgf5YvRelXfxs4P0EHtgxdrpZNi
1vHyaMx10qgjeqLqlQv8u1SgQmB6wyVUmjf8fN919EzLAAFl/KY2sdLpfRUzTlBE
1otlNdzWsDyGekDWLNC0HRx/1AZUSa+jiMcFmH35mUjxgijvCCVDeSFMG/gTXQUF
GR8ztoVJzZ2btqu81Iloaqak2fNJQJ6do5UFhHVk6svDaB+EB8o=
=DgHL
-----END PGP SIGNATURE-----