Multiple vulnerabilities in Siemens SIMATIC, SINAMICS, SINEC, SINEMA and SINUMERIK



Published: 2020-06-10
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-7585
CVE-2020-7586
CVE-2020-7580
CWE-ID CWE-427
CWE-122
CWE-428
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		SIMATIC PCS 7
Server applications / SCADA systems

SIMATIC PDM
Server applications / SCADA systems

SIMATIC STEP 7
Server applications / SCADA systems

SIMATIC NET PC Software
Server applications / SCADA systems

SIMATIC S7-1500 Software Controller
Server applications / SCADA systems

SIMATIC STEP 7 (TIA Portal)
Server applications / SCADA systems

SIMATIC WinCC OA
Server applications / SCADA systems

SIMATIC WinCC Runtime Professional
Server applications / SCADA systems

Siemens SIMATIC WinCC
Server applications / SCADA systems

SINUMERIK ONE virtual
Server applications / SCADA systems

SINUMERIK Operate
Server applications / SCADA systems

SINAMICS STARTER
Other software / Other software solutions

SIMATIC Automation Tool
Server applications / Other server solutions

SINEMA Server
Server applications / Other server solutions

SIMATIC PCS neo
Web applications / Other software

SIMATIC ProSave
Client/Desktop applications / Other client software

SINAMICS Startdrive
Client/Desktop applications / Other client software

SINEC NMS
Server applications / Remote management servers, RDP, SSH

Vendor Siemens

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Insecure DLL loading

EUVDB-ID: #VU28934

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7585

CWE-ID: CWE-427 - Uncontrolled Search Path Element

Exploit availability: No

Description

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can use a specially crafted .dll file, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SIMATIC PCS 7: All versions

SIMATIC PDM: All versions

SIMATIC STEP 7: before 5.6 SP2 HF3

SINAMICS STARTER: before 5.4 HF1

External links

http://ics-cert.us-cert.gov/advisories/icsa-20-161-05
http://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU28935

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7586

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A local user can pass specially crafted data to the applicatoin, trigger heap-based buffer overflow and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SIMATIC PCS 7: All versions

SIMATIC PDM: All versions

SIMATIC STEP 7: before 5.6 SP2 HF3

SINAMICS STARTER: before 5.4 HF1

External links

http://ics-cert.us-cert.gov/advisories/icsa-20-161-05
http://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Unquoted Search Path or Element

EUVDB-ID: #VU28936

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7580

CWE-ID: CWE-428 - Unquoted Search Path or Element

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system. 

The vulnerability exist due to a component within the affected application that regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. A local administrator can execute arbitrary code with SYSTEM level privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SIMATIC Automation Tool: All versions

SIMATIC NET PC Software: 16

SIMATIC PCS 7: All versions

SIMATIC PCS neo: All versions

SIMATIC ProSave: All versions

SIMATIC S7-1500 Software Controller: All versions

SIMATIC STEP 7: before 5.6 SP2 HF3

SIMATIC STEP 7 (TIA Portal): 13.0 - 16.0

SIMATIC WinCC OA: before 3.17-P003

SIMATIC WinCC Runtime Professional: 13.0 - 16.0

Siemens SIMATIC WinCC: before 7.5 SP1 Update 3

SINAMICS Startdrive: All versions

SINEC NMS: All versions

SINEMA Server: All versions

SINUMERIK ONE virtual: All versions

SINUMERIK Operate: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-20-161-04
http://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###