Multiple Vulnerabilities in Siemens Products Could Allow For Remote Code Execution

ITS Advisory Number: 
2016-125
Date(s) Issued: 
Monday, July 25, 2016
Subject: 
Multiple Vulnerabilities in Siemens Products Could Allow For Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the Siemen's SIMATIC WinCC and PCS software, which could allow for remote code execution. PCS is a distributed control system (DCS) integrating SIMATIC WinCC. SIMATIC WinCC is a SCADA system that is used to monitor and control physical processes involved in industry and infrastructure. This software is used in many industries, including food and beverage, water and wastewater, oil and gas, and chemical. Successful exploitation of these vulnerabilities could allow a remote attacker to execute code to take control of the system.

Systems Affected: 

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7):

  • V7.1 SP4 and earlier versions
  • V8.0: All versions
  • V8.1: All versions
  • V8.2: All versions

SIMATIC WinCC:

  • V7.0 SP 2 and earlier versions
  • V7.0 SP 3: All versions
  • V7.2: All versions
  • V7.3: All versions < 7.3 Update 10
  • V7.4: All versions < 7.4 Update 1

SIMATIC WinCC Runtime Professional:

All versions < V13 SP 1 Update 9

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Multiple vulnerabilities have been discovered in SIMATIC WinCC and PCS software. Details of these vulnerabilities are as follows:

  • A vulnerability found in SIMATIC WinCC or WinCC Runtime Professional could allow for unauthenticated users to remotely execute code by sending specially crafted packets. (CVE-2016-5743)
  • An arbitrary file read vulnerability found in SIMATIC WinCC that could allow unauthenticated users to extract arbitrary files from a WinCC station by sending specially crafted packets.(CVE-2016-5744)

Successful exploitation of these vulnerabilities could allow a remote attacker to execute code to take control of the system.

Actions: 
  • After appropriate testing, apply appropriate patches provided by Siemens.
  • Always run WinCC, WinCC Runtime Professional and PCS 7 stations within a trusted network and ensure they communicate only via trusted channels.
  • Whitelist trusted networks and clients.
  • Only allow trusted traffic over TCP port 1433.
  • Deactivate all unnecessary users on the WinCC server.