Privilege escalation in Siemens SIMATIC STEP 7 and SIMATIC WinCC
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-11453 CVE-2018-11454 |
| CWE-ID | CWE-276 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SIMATIC WinCC (TIA Portal) Server applications / SCADA systems SIMATIC STEP 7 (TIA Portal) Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU14415
Risk: Low
CVSSv3.1: 8.1 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11453
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper file permissions in the default installation of TIA Portal. A local unauthenticated attacker can attempt to start TIA Portal after the manipulation, insert specially crafted files and prevent TIA Portal startup (denial-of-service) or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIMATIC WinCC (TIA Portal): 10.0 - 15.0
SIMATIC STEP 7 (TIA Portal): 10.0 - 15.0
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-979106.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Privilege escalation
EUVDB-ID: #VU14416
Risk: Low
CVSSv3.1: 8.1 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11454
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper file permissions in the default installation of TIA Portal. A local unauthenticated attacker can transfer the manipulated files to a device and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSIMATIC WinCC (TIA Portal): 10.0 - 15.0
SIMATIC STEP 7 (TIA Portal): 10.0 - 15.0
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-979106.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
