#VU6191 Information disclosure in Siemens SIMATIC WinCC and SIMATIC PCS 7 - CVE-2014-8552
Published: April 5, 2017
Vulnerability identifier: #VU6191
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8552
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Siemens SIMATIC WinCC
SIMATIC PCS 7
Siemens SIMATIC WinCC
SIMATIC PCS 7
Software vendor:
Siemens
Siemens
Description
The vulnerability allows a remote attacker to view arbitrary files on the system.
The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and view contents of arbitrary files on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.
Remediation
Install updates from vendor's website:
TIA Portal V13 (including WinCC Professional Runtime)
- Upgrade to WinCC V13 Update 6
http://support.automation.siemens.com/WW/view/de/90527654 (link is external)
WinCC 7.0
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external)
WinCC V7.0 SP3
- Upgrade to WinCC 7.0 SP3 Update 7
http://support.automation.siemens.com/WW/view/en/109253830 (link is external)
WinCC 7.2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external)
WinCC 7.3
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/en/105898606 (link is external)
PCS 7 V7.1 SP4
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external) - Upgrade to OpenPCS 7 V7.1 SP4 Update 1
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to Route Control V7.1 SP2 Update 5
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP1 Update 19
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP2 Update 8
http://support.automation.siemens.com/WW/view/en/106226043 (link is external)
PCS 7 V8.0 SP2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external) - Upgrade to OpenPCS 7 V8.0 Update 5
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to Route Control V8.0 Update 4
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to BATCH V8.0 Update 11
http://support.automation.siemens.com/WW/view/en/106224418 (link is external)
PCS 7 V8.1
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/de/105898606 (link is external) - Upgrade to OpenPCS 7 V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to Route Control V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to BATCH V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external)