CVE-2019-10935

Name of the Vulnerable Software and Affected Versions SIMATIC PCS 7 versions V8.0 and earlier SIMATIC PCS 7 version V8.1 through V8.1 with WinCC V7.3 Upd 18 SIMATIC PCS 7 version V8.2 through V8.2 SP1 with WinCC V7.4 SP1 Upd 10 SIMATIC PCS 7 version V9.0 through V9.0 SP2 with WinCC V7.4 SP1 Upd 10 SIMATIC WinCC Professional (TIA Portal V13) version SIMATIC WinCC Professional (TIA Portal V14) version through V14 SP1 Upd 8 SIMATIC WinCC Professional (TIA Portal V15) version through V15.1 Upd 2 SIMATIC WinCC Runtime Professional V13 version SIMATIC WinCC Runtime Professional V14 version through V14.1 Upd 7 SIMATIC WinCC Runtime Professional V15 version through V15.1 Upd 2 SIMATIC WinCC version V7.2 and earlier SIMATIC WinCC version V7.3 through V7.3 Upd 18 SIMATIC WinCC version V7.4 through V7.4 SP1 Upd 10 SIMATIC WinCC version V7.5 through V7.5 Upd 2

Description The SIMATIC WinCC DataMonitor web application of the affected products allows an attacker to upload arbitrary ASPX code due to insufficient input validation. This issue can be exploited by an authenticated attacker with network access to the WinCC DataMonitor application, and no user interaction is required. The vulnerability impacts the confidentiality, integrity, and availability of the affected device. At the time of publishing, no public exploitation of this issue is known.

Recommendations For SIMATIC PCS 7 versions V8.0 and earlier, update to a version later than V8.0. For SIMATIC PCS 7 version V8.1 through V8.1 with WinCC V7.3 Upd 18, update to V8.1 with WinCC V7.3 Upd 19 or later. For SIMATIC PCS 7 version V8.2 through V8.2 SP1 with WinCC V7.4 SP1 Upd 10, update to V8.2 SP1 with WinCC V7.4 SP1 Upd 11 or later. For SIMATIC PCS 7 version V9.0 through V9.0 SP2 with WinCC V7.4 SP1 Upd 10, update to V9.0 SP2 with WinCC V7.4 SP1 Upd 11 or later. For SIMATIC WinCC Professional (TIA Portal V13) version , consider disabling the SIMATIC WinCC DataMonitor web application until a patch is available. For SIMATIC WinCC Professional (TIA Portal V14) version through V14 SP1 Upd 8, update to V14 SP1 Upd 9 or later. For SIMATIC WinCC Professional (TIA Portal V15) version through V15.1 Upd 2, update to V15.1 Upd 3 or later. For SIMATIC WinCC Runtime Professional V13 version , consider disabling the SIMATIC WinCC DataMonitor web application until a patch is available. For SIMATIC WinCC Runtime Professional V14 version through V14.1 Upd 7, update to V14.1 Upd 8 or later. For SIMATIC WinCC Runtime Professional V15 version through V15.1 Upd 2, update to V15.1 Upd 3 or later. For SIMATIC WinCC version V7.2 and earlier, update to a version later than V7.2. For SIMATIC WinCC version V7.3 through V7.3 Upd 18, update to V7.3 Upd 19 or later. For SIMATIC WinCC version V7.4 through V7.4 SP1 Upd 10, update to V7.4 SP1 Upd 11 or later. For SIMATIC WinCC version V7.5 through V7.5 Upd 2, update to V7.5 Upd 3 or later.