Improper access control in Siemens SIMATIC WinCC

Published: 2019-05-14 | Updated: 2019-05-31

Risk	High
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2019-10922
CWE-ID	CWE-284
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Siemens SIMATIC WinCC Server applications / SCADA systems SIMATIC PCS 7 Server applications / SCADA systems
Vendor	Siemens

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper access control

EUVDB-ID: #VU18656

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-10922

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions when installations have not “Encrypted Communication” configured. A remote unauthenticated attacker with network access may be able to execute arbitrary code.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

A vendor recommends to:

Upgrade SIMATIC WinCC to v7.3 or newer.
Upgrade SIMATIC PCS 7 to v8.1 or newer.
Enable Encrypted Communications (some newer versions have this enabled by default).
Apply defense-in-depth concepts.

Vulnerable software versions

Siemens SIMATIC WinCC: v11 - 15 Update 4

SIMATIC PCS 7: 6.1 - 9.0

CPE2.3

External links

https://www.securityfocus.com/bid/108398
https://cert-portal.siemens.com/productcert/pdf/ssa-705517.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.