Information disclosure in Siemens SIMATIC WinCC and SIMATIC PCS 7 - CVE-2014-8552
Published: April 5, 2017
Vulnerability identifier: #VU6191
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8552
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Siemens
Affected software:
Siemens SIMATIC WinCC
SIMATIC PCS 7
Siemens SIMATIC WinCC
SIMATIC PCS 7
Detailed vulnerability description
The vulnerability allows a remote attacker to view arbitrary files on the system.
The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and view contents of arbitrary files on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.
How to mitigate CVE-2014-8552
Install updates from vendor's website:
TIA Portal V13 (including WinCC Professional Runtime)
- Upgrade to WinCC V13 Update 6
http://support.automation.siemens.com/WW/view/de/90527654 (link is external)
WinCC 7.0
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external)
WinCC V7.0 SP3
- Upgrade to WinCC 7.0 SP3 Update 7
http://support.automation.siemens.com/WW/view/en/109253830 (link is external)
WinCC 7.2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external)
WinCC 7.3
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/en/105898606 (link is external)
PCS 7 V7.1 SP4
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external) - Upgrade to OpenPCS 7 V7.1 SP4 Update 1
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to Route Control V7.1 SP2 Update 5
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP1 Update 19
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP2 Update 8
http://support.automation.siemens.com/WW/view/en/106226043 (link is external)
PCS 7 V8.0 SP2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external) - Upgrade to OpenPCS 7 V8.0 Update 5
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to Route Control V8.0 Update 4
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to BATCH V8.0 Update 11
http://support.automation.siemens.com/WW/view/en/106224418 (link is external)
PCS 7 V8.1
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/de/105898606 (link is external) - Upgrade to OpenPCS 7 V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to Route Control V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to BATCH V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external)