Vulnerability

CERT-In Vulnerability Note CIVN-2014-0272
Multiple Vulnerabilities in Siemens SIMATIC WinCC, PCS7 and TIA Portal

Original Issue Date:December 05, 2014

Severity Rating: HIGH

Software Affected

SIMATIC WinCC V7.0 SP2 and prior
SIMATIC WinCC V7.0 SP3 and prior
SIMATIC WinCC prior to V7.2 Update 9
SIMATIC WinCC prior to V7.3 Update 2
SIMATIC PCS7 V7.1 SP4 and prior
SIMATIC PCS7 prior to V8.0 SP2 with WinCC V7.2 update 9
SIMATIC PCS7 prior to V8.1 SP2 with WinCC V7.3 update 2
TIA Portal prior to V13 Update 6

Overview

Multiple vulnerabilities have been reported in Siemens products which could be exploited by a remote attacker to execute arbitrary code and obtain sensitive information.

Description

These vulnerabilities exist due to a component in WinCC which could allow an unauthenticated remote attacker to extract arbitrary files and allow remote code execution when specially crafted packets are sent to the WinCC server.

Solution

Apply appropriate updates as mentioned by the vendor
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf

Vendor Information

Siemens
http://www.siemens.com/innovation/pool/de/forschun0067sfelder/siemens_security_advisory_ssa-134508.pdf

References

Siemens
http://www.siemens.com/innovation/pool/de/forschun0067sfelder/siemens_security_advisory_ssa-134508.pdf
https://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf

ICS-Cert
https://ics-cert.us-cert.gov/advisories/ICSA-14-329-02
https://ics-cert.us-cert.gov/Recommended-Practices

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=36560
http://tools.cisco.com/security/center/viewAlert.x?alertId=36559

CVE Name
CVE-2014-8551
CVE-2014-8552

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India