PT-2019-2104 · Siemens · Simatic Wincc+2
Published
2019-05-14
·
Updated
2021-10-28
·
CVE-2019-10918
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
SIMATIC PCS 7 versions prior to V8.1 with WinCC V7.3 Upd 19
SIMATIC PCS 7 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11
SIMATIC PCS 7 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11
SIMATIC WinCC (TIA Portal) version V13
SIMATIC WinCC (TIA Portal) versions prior to V14 SP1 Upd 9
SIMATIC WinCC (TIA Portal) versions prior to V15.1 Upd 3
SIMATIC WinCC Runtime Professional version V13
SIMATIC WinCC Runtime Professional versions prior to V14.1 Upd 8
SIMATIC WinCC Runtime Professional versions prior to V15.1 Upd 3
SIMATIC WinCC versions prior to V7.3 Upd 19
SIMATIC WinCC versions prior to V7.4 SP1 Upd 11
SIMATIC WinCC versions prior to V7.5 Upd 3
Description
The issue is related to insufficient input validation in Siemens SIMATIC products. An authenticated attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. Successful exploitation requires authentication with a low-privileged user account and no user interaction, potentially compromising confidentiality, integrity, and availability of the affected system.
Recommendations
For SIMATIC PCS 7 versions prior to V8.1 with WinCC V7.3 Upd 19, update to V8.1 with WinCC V7.3 Upd 19 or later.
For SIMATIC PCS 7 versions prior to V8.2 SP1 with WinCC V7.4 SP1 Upd11, update to V8.2 SP1 with WinCC V7.4 SP1 Upd11 or later.
For SIMATIC PCS 7 versions prior to V9.0 SP2 with WinCC V7.4 SP1 Upd11, update to V9.0 SP2 with WinCC V7.4 SP1 Upd11 or later.
For SIMATIC WinCC (TIA Portal) version V13, update to V14 SP1 Upd 9 or later.
For SIMATIC WinCC (TIA Portal) versions prior to V14 SP1 Upd 9, update to V14 SP1 Upd 9 or later.
For SIMATIC WinCC (TIA Portal) versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later.
For SIMATIC WinCC Runtime Professional version V13, update to V14.1 Upd 8 or later.
For SIMATIC WinCC Runtime Professional versions prior to V14.1 Upd 8, update to V14.1 Upd 8 or later.
For SIMATIC WinCC Runtime Professional versions prior to V15.1 Upd 3, update to V15.1 Upd 3 or later.
For SIMATIC WinCC versions prior to V7.3 Upd 19, update to V7.3 Upd 19 or later.
For SIMATIC WinCC versions prior to V7.4 SP1 Upd 11, update to V7.4 SP1 Upd 11 or later.
For SIMATIC WinCC versions prior to V7.5 Upd 3, update to V7.5 Upd 3 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Simatic Pcs 7
Simatic Wincc
Simatic Wincc Runtime Professional