CVE-2019-10916

Name of the Vulnerable Software and Affected Versions SIMATIC PCS 7 versions V8.0 and earlier SIMATIC PCS 7 V8.1 versions prior to V8.1 with WinCC V7.3 Upd 19 SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11 SIMATIC PCS 7 V9.0 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11 SIMATIC WinCC (TIA Portal) version V13 SIMATIC WinCC (TIA Portal) V14 versions prior to V14 SP1 Upd 9 SIMATIC WinCC (TIA Portal) V15 versions prior to V15.1 Upd 3 SIMATIC WinCC Runtime Professional version V13 SIMATIC WinCC Runtime Professional V14 versions prior to V14.1 Upd 8 SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Upd 3 SIMATIC WinCC versions V7.2 and earlier SIMATIC WinCC V7.3 versions prior to V7.3 Upd 19 SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Upd 11 SIMATIC WinCC V7.5 versions prior to V7.5 Upd 3

Description The issue is related to insufficient input validation, allowing an attacker with access to the project file to execute arbitrary system commands with the privileges of the local database server. This could impact the confidentiality, integrity, and availability of the affected system. At the time of advisory publication, no public exploitation of this security issue was known.

Recommendations For SIMATIC PCS 7 versions V8.0 and earlier, update to a version later than V8.0. For SIMATIC PCS 7 V8.1 versions prior to V8.1 with WinCC V7.3 Upd 19, update to V8.1 with WinCC V7.3 Upd 19 or later. For SIMATIC PCS 7 V8.2 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11, update to V8.2 SP1 with WinCC V7.4 SP1 Upd11 or later. For SIMATIC PCS 7 V9.0 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11, update to V9.0 SP2 with WinCC V7.4 SP1 Upd11 or later. For SIMATIC WinCC (TIA Portal) version V13, update to a version later than V13. For SIMATIC WinCC (TIA Portal) V14 versions prior to V14 SP1 Upd 9, update to V14 SP1 Upd 9 or later. For SIMATIC WinCC (TIA Portal) V15 versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later. For SIMATIC WinCC Runtime Professional version V13, update to a version later than V13. For SIMATIC WinCC Runtime Professional V14 versions prior to V14.1 Upd 8, update to V14.1 Upd 8 or later. For SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later. For SIMATIC WinCC versions V7.2 and earlier, update to a version later than V7.2. For SIMATIC WinCC V7.3 versions prior to V7.3 Upd 19, update to V7.3 Upd 19 or later. For SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Upd 11, update to V7.4 SP1 Upd 11 or later. For SIMATIC WinCC V7.5 versions prior to V7.5 Upd 3, update to V7.5 Upd 3 or later.