-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-766247: Authentication Vulnerability in SIMATIC Process Historian

Publication Date:        2021-10-12
Last Update:             2022-01-11
Current Version:         1.1
CVSS v3.1 Base Score:    9.8

SUMMARY
=======

The latest update for SIMATIC Process Historian (PH) fixes an
authentication vulnerability in the configuration interface of redundant
PH instances that could enable the execution of admin operations on the
database.

The related vulnerable interface is restricted to local access on recent
versions starting from SIMATIC Process Historian 2020.

Siemens has released updates for several affected products and
recommends to update to the latest versions. Siemens recommends specific
countermeasures for products where updates are not, or not yet
available.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC Process Historian 2013 and earlier
  - Affected versions:
       All versions
  - Remediation:
       Currently no remediation is planned
       Consider upgrading to a newer SIMATIC Process Historian version
       See further recommendations from section "Workarounds and Mitigations"

* SIMATIC Process Historian 2014
  - Affected versions:
       All versions < SP3 Update 6
  - Remediation:
       Update to SP3 Update 6 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109780528/

* SIMATIC Process Historian 2019
  - Affected versions:
       All versions
  - Remediation:
       Currently no remediation is planned
       Consider upgrading to a newer SIMATIC Process Historian version
       See further recommendations from section "Workarounds and Mitigations"

* SIMATIC Process Historian 2020
  - Affected versions:
       All versions
  - Remediation:
       Update to 2020 Update 2 or later version
       To update, use the Process Historian version as bundled with PCS neo
       V3.1 Upd1
       (https://support.industry.siemens.com/cs/ww/en/view/109804750/) or with
       PCS 7 V9.1 SP1
       (https://support.industry.siemens.com/cs/ww/en/view/109805073/)
       See further recommendations from section "Workarounds and Mitigations"


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Deactivate following incoming rules in the local Windows firewall:

- -   PH Redundancy Services
- -   PH Wcf MessageQueue Service (RedundancyMaintenanceService)
- -   PH Wcf MessageQueue Service (SqlMirroringSetup)
- -   PH Wcf MessageQueue Service (MaintenanceService)
- -   PH SQL-Server Mirroring Port (UDP)
- -   PH SQL-Server Mirroring Port (TCP)

* In case SIMATIC Process Historian is used as a redundant system,
restrict remote IP addresses in the firewall rules to allow only access
for the Master, the Standby and the Mirror server



GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

The SIMATIC Process Historian is the long term archive system for
SIMATIC PCS 7, SIMATIC WinCC and SIMATIC PCS neo. It stores process
values, alarms and batch data of production plants in its database and
offers historical process data to reporting and visualization
applications.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2021-27395

  An interface in the software that is used for critical functionalities
  lacks authentication, which could allow a malicious user to maliciously
  insert, modify or delete data.

  CVSS v3.1 Base Score: 9.8
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-306: Missing Authentication for Critical Function




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-10-12): Publication Date
V1.1 (2022-01-11): Added solution for SIMATIC Process Historian 2020

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmHcyIAACgkQlm7gTEmy
ujTGnA/9FbhaJpEoL+6oa8OJEr3nz0+uTYyKBDZvidMgkE/Gf/OG5ON90qMwmZE/
MVqOQJ6uZCHM/NgEJApjABihUtAFUJNDEs5NNRUXWvx4ja1ZugiIW43InwGNXdN2
9LX17d5P8tBLsFW2/fDIH2tm3Hk4TQgzYfvhQuMOZZIk2NCWsFOObGyNByHE23o3
KdvmFGAgouERVzBE+op1QCYuBduGO01zLq0TiWo9lDd7yQRGgoUxA1QHW3DqZ+wp
2ayTGWqY8Sc+4C++bvkBXZ7qHMz1gVnK9ccC5bN8+26gt9QmT+j53z54VRmzs7vd
r8Ox+RHuvIZfzz6GGp3MKWjyNYkTxbIZUVNKqHzhuozIb0DFb2q0h1rspp0l6C4+
xPFhGXjbeQTBdkunk34jNYITN8dq0tr7vTqJgm5VIUIJGwIIDrwi2lTF7mTh5YKc
G4dL3SwxNTi30QF7fJq/+lvsVDmoZmggoWebdv9RP/Jof6ihWw3Xz6j2VrycQfbr
HCeoPQD0JwLqUHaxH+yQ3hbEcytwbi7OGY8HaBtUYIN4Bw1UPM++qU59iH59BIXT
qErQdpBrwff3J3s3WIDoJY63ZfHSsZiXtKl+LdXAs2AfBn4gXstHI8IiK2juEHop
HR4CI0KNihy0ZGuEm4SEh52pG5j8qE+zWXtEwvnu5OF4fQguAaU=
=j618
-----END PGP SIGNATURE-----