CVE-2020-7580

Name of the Vulnerable Software and Affected Versions: SIMATIC Automation Tool versions prior to V4 SP2 SIMATIC NET PC Software V14 versions prior to V14 SP1 Update 14 SIMATIC NET PC Software V15 versions SIMATIC NET PC Software V16 versions prior to V16 Upd3 SIMATIC PCS neo versions prior to V3.0 SP1 SIMATIC ProSave versions prior to V17 SIMATIC S7-1500 Software Controller versions prior to V21.8 SIMATIC STEP 7 (TIA Portal) V13 versions prior to V13 SP2 Update 4 SIMATIC STEP 7 (TIA Portal) V14 versions prior to V14 SP1 Update 10 SIMATIC STEP 7 (TIA Portal) V15 versions prior to V15.1 Update 5 SIMATIC STEP 7 (TIA Portal) V16 versions prior to V16 Update 2 SIMATIC STEP 7 V5 versions prior to V5.6 SP2 HF3 SIMATIC WinCC OA V3.16 versions prior to V3.16 P018 SIMATIC WinCC OA V3.17 versions prior to V3.17 P003 SIMATIC WinCC Runtime Advanced versions prior to V16 Update 2 SIMATIC WinCC Runtime Professional V13 versions prior to V13 SP2 Update 4 SIMATIC WinCC Runtime Professional V14 versions prior to V14 SP1 Update 10 SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Update 5 SIMATIC WinCC Runtime Professional V16 versions prior to V16 Update 2 SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Update 14 SIMATIC WinCC V7.5 versions prior to V7.5 SP1 Update 3 SINAMICS STARTER versions prior to V5.4 HF2 SINAMICS Startdrive versions prior to V16 Update 3 SINEC NMS versions prior to V1.0 SP2 SINEMA Server versions prior to V14 SP3 SINUMERIK ONE virtual versions prior to V6.14 SINUMERIK Operate versions prior to V6.14

Description: The issue is related to the absence of quotes in writing elements or search paths, which could allow a local attacker to execute arbitrary code with SYSTEM privileges. A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted.

Recommendations: SIMATIC Automation Tool versions prior to V4 SP2: Update to V4 SP2 or later. SIMATIC NET PC Software V14 versions prior to V14 SP1 Update 14: Update to V14 SP1 Update 14 or later. SIMATIC NET PC Software V15: Update to a version that is not affected by this issue. SIMATIC NET PC Software V16 versions prior to V16 Upd3: Update to V16 Upd3 or later. SIMATIC PCS neo versions prior to V3.0 SP1: Update to V3.0 SP1 or later. SIMATIC ProSave versions prior to V17: Update to V17 or later. SIMATIC S7-1500 Software Controller versions prior to V21.8: Update to V21.8 or later. SIMATIC STEP 7 (TIA Portal) V13 versions prior to V13 SP2 Update 4: Update to V13 SP2 Update 4 or later. SIMATIC STEP 7 (TIA Portal) V14 versions prior to V14 SP1 Update 10: Update to V14 SP1 Update 10 or later. SIMATIC STEP 7 (TIA Portal) V15 versions prior to V15.1 Update 5: Update to V15.1 Update 5 or later. SIMATIC STEP 7 (TIA Portal) V16 versions prior to V16 Update 2: Update to V16 Update 2 or later. SIMATIC STEP 7 V5 versions prior to V5.6 SP2 HF3: Update to V5.6 SP2 HF3 or later. SIMATIC WinCC OA V3.16 versions prior to V3.16 P018: Update to V3.16 P018 or later. SIMATIC WinCC OA V3.17 versions prior to V3.17 P003: Update to V3.17 P003 or later. SIMATIC WinCC Runtime Advanced versions prior to V16 Update 2: Update to V16 Update 2 or later. SIMATIC WinCC Runtime Professional V13 versions prior to V13 SP2 Update 4: Update to V13 SP2 Update 4 or later. SIMATIC WinCC Runtime Professional V14 versions prior to V14 SP1 Update 10: Update to V14 SP1 Update 10 or later. SIMATIC WinCC Runtime Professional V15 versions prior to V15.1 Update 5: Update to V15.1 Update 5 or later. SIMATIC WinCC Runtime Professional V16 versions prior to V16 Update 2: Update to V16 Update 2 or later. SIMATIC WinCC V7.4 versions prior to V7.4 SP1 Update 14: Update to V7.4 SP1 Update 14 or later. SIMATIC WinCC V7.5 versions prior to V7.5 SP1 Update 3: Update to V7.5 SP1 Update 3 or later. SINAMICS STARTER versions prior to V5.4 HF2: Update to V5.4 HF2 or later. SINAMICS Startdrive versions prior to V16 Update 3: Update to V16 Update 3 or later. SINEC NMS versions prior to V1.0 SP2: Update to V1.0 SP2 or later. SINEMA Server versions prior to V14 SP3: Update to V14 SP3 or later. SINUMERIK ONE virtual versions prior to V6.14: Update to V6.14 or later. SINUMERIK Operate versions prior to V6.14: Update to V6.14 or later.