-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-535640: Vulnerability in Industrial Products

Publication Date:        2017-08-30
Last Update:             2022-04-12
Current Version:         1.5
CVSS v3.1 Base Score:    8.2

SUMMARY
=======

Various industrial products use the Discovery Service of the OPC UA
protocol stack by the OPC foundation
https://github.com/OPCFoundation/UA-.NETStandard and could therefore be
affected by the remote resource consumption attacks (CVE-2017-12069).


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC IT Production Suite
  - Affected versions:
       All Versions >= V6.5 and < V7.1
  - Remediation:
       Update to V7.1 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       To obtain SIMATIC IT Production Suite contact your local support.

* SIMATIC NET PC Software V14
  - Affected versions:
       All versions < V14 SP1 Update 14
  - Remediation:
       Update to V14 SP1 Update 14 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109807351/

* SIMATIC PCS 7
  - Affected versions:
       Versions V8.0, V8.1
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC WinCC
  - Affected versions:
       All Versions < V7.2
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC WinCC Runtime Professional V13
  - Affected versions:
       All Versions
  - Remediation:
       Currently no fix is planned
       See recommendations from section "Workarounds and Mitigations"

* SIMATIC WinCC Runtime Professional V14
  - Affected versions:
       All Versions < V14 SP1
  - Remediation:
       Update to V14 SP1 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109746276


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Turn off the Discovery Service after commissioning or block it on the
local firewall:
https://support.industry.siemens.com/cs/ww/en/view/109749461

* Use VPN for protecting network communication between cells


Product specific remediations or mitigations can be found in the section
"Affected Products and Solution".

Please follow the "General Security Recommendations".


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SIMATIC IT Production Suite is a plant-centric IT solution building the
link between Business Systems (e.g. ERP) and Control Systems.

SIMATIC NET PC software is a software product that is sold separately
and implements the communications product from SIMATIC NET.

SIMATIC PCS 7 is a distributed control system (DCS) integrating SIMATIC
WinCC, SIMATIC Batch, SIMATIC Route Control, OpenPCS7 and other
components.

SIMATIC WinCC is a supervisory control and data acquisition (SCADA)
system.

SIMATIC WinCC Runtime Professional is a visualization runtime platform
used for operator control and monitoring of machines and plants.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2017-12069

  By sending specially crafted packets to the OPC Discovery Server at port
  4840/tcp, an attacker might cause the system to access various resources
  chosen by the attacker. To execute the attack, the attacker must have
  network access to the affected devices.

  CVSS v3.1 Base Score: 8.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-611: Improper Restriction of XML External Entity Reference


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * Sergey Temnikov from Kaspersky Lab ICS CERT for reporting the vulnerabilities



ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2017-08-30): Publication Date
V1.1 (2017-10-02): Clarified "Affected Products"
V1.2 (2017-11-17): Added fix for SIMATIC IT Production Suite
V1.3 (2019-01-08): Added fix for SIMATIC NET PC Software
V1.4 (2020-08-11): Updated information regarding SIMATIC NET PC Software
V1.5 (2022-04-12): Added solution for SIMATIC NET PC Software V14 and clarified affected
versions; Clarified no remediation planned

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2022
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmJUwQAACgkQlm7gTEmy
ujRKIhAAjSMQd1LJcJSr0k1cWcXh/Pt4ZrIWa1/AD37p4FVD9Rd1Z5ycK8wzvoy3
YHRMGEmtpf2NivjeduVMsTv5qoFoqFyg7IGcuwcPxMhGDLSS6LgmMyfURVfFwNfe
jweEM1+oWcnwDKziyMPwvEr0OI7LmwYvVWPha9d5pfeEXInhSRevE8Rz6ykzXJOj
al9z/iXXHYvUHZ7Yoa+TsK/QHcpHECEw5x/fV2GV8Mplr3JOQXkXC28rYza8azGP
qUIBXyuJzo1BSF1EYSsbjL+2su7GcWzFra53RmyCEo+zlQgfKvYzFK7gLZUFsTCM
FjWfvnvQt+SsXLYwIxNlCmIqJDyY/Cz8EdIvAUdEfcrm5+sI8PsFD4DcEsraRSzT
f9crDqW+Lolt0/YKuGt9gDfIKNvJXkbTvR8ekZbSGSclqBhhyn+6g3YFEIk8zZVO
DGnbNaKGdimxOujoyQInQLq2Kks70g1+cwZ14wB7oedIg+4WyNERlX/3sKMbnM+5
zljF6Q/o17X8MRziJ+O13s0bBoWc5/ohe7VC+HSSMk+40QZInjvR9DjCsu32kZrv
y/TS7y5EbQUoch0Xv4FQYCLUFlwj6yw2DbNH0XK1pFnC0vWBKr7PewLO/g9gnFym
mTYshjvemod7x6lO/leTqi0+gEUCV0TrLGfVvzdRbJpcEdwxX6E=
=Hr5c
-----END PGP SIGNATURE-----