Two vulnerabilities in Siemens SIMATIC WinCC
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2014-8551 CVE-2014-8552 |
| CWE-ID | CWE-20 CWE-200 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Siemens SIMATIC WinCC Server applications / SCADA systems SIMATIC PCS 7 Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU6190
Risk: Critical
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2014-8551
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in targeted attacks.
MitigationInstall updates from vendor's website:
TIA Portal V13 (including WinCC Professional Runtime)
- Upgrade to WinCC V13 Update 6
http://support.automation.siemens.com/WW/view/de/90527654 (link is external)
WinCC 7.0
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external)
WinCC V7.0 SP3
- Upgrade to WinCC 7.0 SP3 Update 7
http://support.automation.siemens.com/WW/view/en/109253830 (link is external)
WinCC 7.2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external)
WinCC 7.3
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/en/105898606 (link is external)
PCS 7 V7.1 SP4
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external) - Upgrade to OpenPCS 7 V7.1 SP4 Update 1
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to Route Control V7.1 SP2 Update 5
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP1 Update 19
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP2 Update 8
http://support.automation.siemens.com/WW/view/en/106226043 (link is external)
PCS 7 V8.0 SP2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external) - Upgrade to OpenPCS 7 V8.0 Update 5
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to Route Control V8.0 Update 4
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to BATCH V8.0 Update 11
http://support.automation.siemens.com/WW/view/en/106224418 (link is external)
PCS 7 V8.1
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/de/105898606 (link is external) - Upgrade to OpenPCS 7 V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to Route Control V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to BATCH V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external)
Siemens SIMATIC WinCC: 7.0 SP1 - 7.3 Update 1
SIMATIC PCS 7: 7.1 SP1 - 8.1
CPE2.3- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP1:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP2:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP3:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP1:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP2:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP3:*:*:*:*:*:*:*
http://ics-cert.us-cert.gov/advisories/ICSA-14-329-02D
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-134508.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Information disclosure
EUVDB-ID: #VU6191
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-8552
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to view arbitrary files on the system.
The vulnerability exists due to improper input validation when processing packets sent to the WinCC server. A remote unauthenticated attacker can send a specially crafted packet and view contents of arbitrary files on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.
MitigationInstall updates from vendor's website:
TIA Portal V13 (including WinCC Professional Runtime)
- Upgrade to WinCC V13 Update 6
http://support.automation.siemens.com/WW/view/de/90527654 (link is external)
WinCC 7.0
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external)
WinCC V7.0 SP3
- Upgrade to WinCC 7.0 SP3 Update 7
http://support.automation.siemens.com/WW/view/en/109253830 (link is external)
WinCC 7.2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external)
WinCC 7.3
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/en/105898606 (link is external)
PCS 7 V7.1 SP4
- Upgrade to WinCC 7.0 SP2 Update 11
http://support.automation.siemens.com/WW/view/en/107174184 (link is external) - Upgrade to OpenPCS 7 V7.1 SP4 Update 1
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to Route Control V7.1 SP2 Update 5
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP1 Update 19
http://support.automation.siemens.com/WW/view/en/106226043 (link is external) - Upgrade to BATCH V7.1 SP2 Update 8
http://support.automation.siemens.com/WW/view/en/106226043 (link is external)
PCS 7 V8.0 SP2
- Upgrade to WinCC 7.2 Update 9
http://support.automation.siemens.com/WW/view/en/104151435 (link is external) - Upgrade to OpenPCS 7 V8.0 Update 5
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to Route Control V8.0 Update 4
http://support.automation.siemens.com/WW/view/en/106224418 (link is external) - Upgrade to BATCH V8.0 Update 11
http://support.automation.siemens.com/WW/view/en/106224418 (link is external)
PCS 7 V8.1
- Upgrade to WinCC 7.3 Update 2
http://support.automation.siemens.com/WW/view/de/105898606 (link is external) - Upgrade to OpenPCS 7 V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to Route Control V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external) - Upgrade to BATCH V8.1 Update 1
http://support.automation.siemens.com/WW/view/en/106226042 (link is external)
Siemens SIMATIC WinCC: 7.0 SP1 - 7.3 Update 1
SIMATIC PCS 7: 7.1 SP1 - 8.1
CPE2.3- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP1:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP2:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siemens_simatic_wincc:7.0 SP3:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP1:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP2:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:7.1 SP3:*:*:*:*:*:*:*
http://ics-cert.us-cert.gov/advisories/ICSA-14-329-02D
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-134508.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
