PT-2019-2102 · Siemens · Simatic Wincc+2
Chengbin Wang
+2
·
Publicado
2019-05-14
·
Atualizado
2021-10-28
·
CVE-2019-10916
CVSS v2.0
9.0
Alta
| Vetor | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
SIMATIC PCS 7 versions V8.0 and earlier
SIMATIC PCS 7 V8.1 versions prior to V8.1 with WinCC V7.3 Upd 19
SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11
SIMATIC PCS 7 V9.0 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11
SIMATIC WinCC (TIA Portal) version V13
SIMATIC WinCC (TIA Portal) V14 versions prior to V14 SP1 Upd 9
SIMATIC WinCC (TIA Portal) V15 versions prior to V15.1 Upd 3
SIMATIC WinCC Runtime Professional version V13
SIMATIC WinCC Runtime Professional V14 versions prior to V14.1 Upd 8
SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Upd 3
SIMATIC WinCC versions V7.2 and earlier
SIMATIC WinCC V7.3 versions prior to V7.3 Upd 19
SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Upd 11
SIMATIC WinCC V7.5 versions prior to V7.5 Upd 3
Description
The issue is related to insufficient input validation, allowing an attacker with access to the project file to execute arbitrary system commands with the privileges of the local database server. This could impact the confidentiality, integrity, and availability of the affected system. At the time of advisory publication, no public exploitation of this security issue was known.
Recommendations
For SIMATIC PCS 7 versions V8.0 and earlier, update to a version later than V8.0.
For SIMATIC PCS 7 V8.1 versions prior to V8.1 with WinCC V7.3 Upd 19, update to V8.1 with WinCC V7.3 Upd 19 or later.
For SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11, update to V8.2 SP1 with WinCC V7.4 SP1 Upd11 or later.
For SIMATIC PCS 7 V9.0 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11, update to V9.0 SP2 with WinCC V7.4 SP1 Upd11 or later.
For SIMATIC WinCC (TIA Portal) version V13, update to a version later than V13.
For SIMATIC WinCC (TIA Portal) V14 versions prior to V14 SP1 Upd 9, update to V14 SP1 Upd 9 or later.
For SIMATIC WinCC (TIA Portal) V15 versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later.
For SIMATIC WinCC Runtime Professional version V13, update to a version later than V13.
For SIMATIC WinCC Runtime Professional V14 versions prior to V14.1 Upd 8, update to V14.1 Upd 8 or later.
For SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later.
For SIMATIC WinCC versions V7.2 and earlier, update to a version later than V7.2.
For SIMATIC WinCC V7.3 versions prior to V7.3 Upd 19, update to V7.3 Upd 19 or later.
For SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Upd 11, update to V7.4 SP1 Upd 11 or later.
For SIMATIC WinCC V7.5 versions prior to V7.5 Upd 3, update to V7.5 Upd 3 or later.
Correção
RCE
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Simatic Pcs 7
Simatic Wincc
Simatic Wincc Runtime Professional