Unquoted Search Path or Element in Siemens Server applications

#VU28936 Unquoted Search Path or Element in Siemens Server applications

Published: 2020-06-10

Vulnerability identifier: #VU28936

Vulnerability risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7580

CWE-ID: CWE-428

Exploitation vector: Local

Exploit availability: No

Vendor: Siemens

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exist due to a component within the affected application that regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. A local administrator can execute arbitrary code with SYSTEM level privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SIMATIC Automation Tool: All versions

SIMATIC NET PC Software: 16

SIMATIC PCS 7: All versions

SIMATIC PCS neo: All versions

SIMATIC ProSave: All versions

SIMATIC S7-1500 Software Controller: All versions

SIMATIC STEP 7: All versions

SIMATIC STEP 7 (TIA Portal): 13.0 - 16.0

SIMATIC WinCC OA: All versions

SIMATIC WinCC Runtime Professional: 13.0 - 16.0

Siemens SIMATIC WinCC: All versions

SINAMICS Startdrive: All versions

SINEC NMS: All versions

SINEMA Server: All versions

SINUMERIK ONE virtual: All versions

SINUMERIK Operate: All versions

External links
http://ics-cert.us-cert.gov/advisories/icsa-20-161-04
http://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens SIMATIC, SINAMICS, SINEC, SINEMA and SINUMERIK