SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-734120152] Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-07-26HMI, OPCSiemens SIMATICSergey Temnikov, Vladimir DashchenkoN/A2016-5743, 2016-5744N/AN/AN/A

Source

						
							
								
#
# Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities
#


### OVERVIEW

Siemens has identified two vulnerabilities in SIMATIC WinCC, PCS 7, and WinCC Runtime Professional. Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab reported these issues directly to Siemens. Siemens has produced updates to mitigate these vulnerabilities.

These vulnerabilities could be exploited remotely.




### AFFECTED PRODUCTS

Siemens reports that the vulnerabilities affect the following products:

SIMATIC WinCC:

V7.0 SP 2 and earlier versions,
V7.0 SP 3: All versions,
V7.2: All versions,
V7.3: All versions prior to 7.3 Update 10, and
V7.4: All versions prior to 7.4 Update 1

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7):

V7.1 SP4 and earlier versions,
V8.0: All versions,
V8.1: All versions, and
V8.2: All versions

SIMATIC WinCC Runtime Professional: All versions prior to V13 SP 1 Update 9.





### IMPACT

Attackers exploiting these vulnerabilities could possibly extract arbitrary files or remotely execute arbitrary code.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.






### BACKGROUND

Siemens is a multinational company headquartered in Munich, Germany.

The affected products are: SIMATIC WinCC, a supervisory control and data acquisition (SCADA) system; and PCS7, a distributed control system (DCS) integrating SIMATIC WinCC. These products are deployed across several sectors including Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. Siemens estimates that these products are used worldwide.





### VULNERABILITY CHARACTERIZATION


# VULNERABILITY OVERVIEW

IMPROPER INPUT VALIDATION

Specially crafted packets sent to SIMATIC WinCC or WinCC Runtime Professional could allow remote code execution for unauthenticated users.
CVE-2016-5743 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).



IMPROPER INPUT VALIDATION

Specially crafted packets sent to SIMATIC WinCC could allow unauthenticated users to extract arbitrary files from the WinCC station. This vulnerability only affects WinCC V7.0 and WinCC V7.2.
CVE-2016-5744 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).


### VULNERABILITY DETAILS


# EXPLOITABILITY

These vulnerabilities could be exploited remotely.


# EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.


# DIFFICULTY

An attacker with low skill would be able to exploit these vulnerabilities.





### MITIGATION

Siemens has produced updates for the following products and strongly encourages users to upgrade to the new versions as soon as possible:
WinCC V7.3: Update to WinCC V7.3 Update 10
https://support.industry.siemens.com/cs/ww/en/view/109738470
 
WinCC V7.4: Update to WinCC V7.4 Update 1
https://support.industry.siemens.com/cs/ww/de/view/109738653
 
PCS 7 V8.1 SP1:

WinCC: Update to WinCC V7.3 Update 10
https://support.industry.siemens.com/cs/ww/en/view/109738470
 
SIMATIC BATCH: Update to SIMATIC BATCH V8.1 SP1 Upd. 9
Contact Customer Support: https://support.industry.siemens.com/cs/de/en/
 
OpenPCS 7: Update to OpenPCS 7 V8.1 Upd. 3
Contact Customer Support: https://support.industry.siemens.com/cs/de/en/
 

PCS 7 V8.2:

WinCC: Update to WinCC V7.4 Update 1
https://support.industry.siemens.com/cs/ww/de/view/109738653
 
OpenPCS 7: Update to OpenPCS7 V8.2 Update 1
Contact Customer Support: https://support.industry.siemens.com/cs/de/en/
 

WinCC Runtime Professional V13: Update to WinCC Runtime Professional V13 SP1 Update 9: https://support.industry.siemens.com/cs/ww/en/view/109311724




Until updates can be applied, Siemens recommends the following steps to mitigate the risk:

1. Always run WinCC, WinCC Runtime Professional, and PCS 7 stations within a trusted network.
2. Ensure that WinCC, WinCC Runtime Professional, and PCS 7 stations communicate via encrypted channels only (e.g., activate feature "Encrypted Communications" in WinCC V7.3 and PCS 7 V8.1 SP1, or establish a VPN tunnel).
3. Restrict access to the WinCC, WinCC Runtime Professional and PCS 7 stations to trusted entities.
4. Apply up-to-date application whitelisting software and virus scanners.


For more information on these vulnerabilities and more detailed mitigation instructions, please see Siemens Security Advisory SSA-378531 at the following location:
http://www.siemens.com/cert/en/cert-security-advisories.htm

As a general security measure Siemens strongly recommends protecting network access to the WinCC and PCS 7 stations with appropriate mechanisms. Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.
https://www.siemens.com/cert/operational-guidelines-industrial-security