CVE-2022-45147

Name of the Vulnerable Software and Affected Versions SIMATIC PCS neo version 4.0 SIMATIC STEP 7 versions 16 through 17 SIMATIC STEP 7 versions 18 through 18 Update 1

Description A vulnerability has been identified in the affected applications, which do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. The issue is related to the deserialization mechanism, which can be exploited by an attacker using specially crafted data.

Recommendations For SIMATIC PCS neo version 4.0, update the .NET BinaryFormatter to properly restrict deserialization of user-controllable input. For SIMATIC STEP 7 versions 16 through 17, update the .NET BinaryFormatter to properly restrict deserialization of user-controllable input. For SIMATIC STEP 7 versions 18 through 18 Update 1, update to version 18 Update 2 or later to fix the deserialization issue. As a temporary workaround, consider disabling the deserialization of user-controllable input until a patch is available.