Denial of service in Siemens SIMATIC PCS 7

Published: 2017-11-03 10:52:41
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 2.4 (AV:N/AC:L/Au:M/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 4.1 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-14023
CWE ID CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software SIMATIC PCS 7
Vulnerable software versions SIMATIC PCS 7 8.2
SIMATIC PCS 7 8.1
Vendor URL Siemens
Advisory type Public

Security Advisory

1) Denial of service

Description

The vulnerability allows a remote authenticated attacker in the 'administrators' group to cause DoS condition on the target system.

The weakness exists due to improper input validation. A remote attacker can send specially crafted data to the target DCOM interface and cause the target service to crash.

Remediation

Install update from vendor's website (V8.1 SP1 with WinCC V7.3 Upd 13).

External links

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-523365.pdf

Back to List