CVE-2018-13812

Name of the Vulnerable Software and Affected Versions SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15 Update 4 SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15 Update 4 SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F versions prior to V15 Update 4 SIMATIC WinCC Runtime Advanced versions prior to V15 Update 4 SIMATIC WinCC Runtime Professional versions prior to V15 Update 4 SIMATIC WinCC (TIA Portal) versions prior to V15 Update 4 SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (all versions)

Description A directory traversal issue allows attackers to download arbitrary files from the device via the integrated web server. This can be exploited by an attacker with network access, requiring no user interaction or authentication, and impacts the confidentiality of the device. At the time of publication, no public exploitation of this issue was known.

Recommendations For SIMATIC HMI Comfort Panels 4" - 22" versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI Comfort Outdoor Panels 7" & 15" versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC Runtime Advanced versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC Runtime Professional versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC WinCC (TIA Portal) versions prior to V15 Update 4, update to V15 Update 4 or later. For SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel), at the moment, there is no information about a newer version that contains a fix for this vulnerability.