Multiple vulnerabilities in Siemens SIMATIC, SINAMICS, SINEC, SINEMA and SINUMERIK
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-7585 CVE-2020-7586 CVE-2020-7580 |
| CWE-ID | CWE-427 CWE-122 CWE-428 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SIMATIC PCS 7 Server applications / SCADA systems SIMATIC PDM Server applications / SCADA systems SIMATIC STEP 7 Server applications / SCADA systems SIMATIC NET PC Software Server applications / SCADA systems SIMATIC S7-1500 Software Controller Server applications / SCADA systems SIMATIC STEP 7 (TIA Portal) Server applications / SCADA systems SIMATIC WinCC OA Server applications / SCADA systems SIMATIC WinCC Runtime Professional Server applications / SCADA systems Siemens SIMATIC WinCC Server applications / SCADA systems SINUMERIK ONE virtual Server applications / SCADA systems SINUMERIK Operate Server applications / SCADA systems SINAMICS STARTER Other software / Other software solutions SIMATIC Automation Tool Server applications / Other server solutions SINEMA Server Server applications / Other server solutions SIMATIC PCS neo Web applications / Other software SIMATIC ProSave Client/Desktop applications / Other client software SINAMICS Startdrive Client/Desktop applications / Other client software SINEC NMS Server applications / Remote management servers, RDP, SSH |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Insecure DLL loading
EUVDB-ID: #VU28934
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-7585
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can use a specially crafted .dll file, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC PCS 7: All versions
SIMATIC PDM: All versions
SIMATIC STEP 7: before 5.6 SP2 HF3
SINAMICS STARTER: before 5.4 HF1
CPE2.3- cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pdm:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_step_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinamics_starter:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-20-161-05
https://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU28935
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-7586
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A local user can pass specially crafted data to the applicatoin, trigger heap-based buffer overflow and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC PCS 7: All versions
SIMATIC PDM: All versions
SIMATIC STEP 7: before 5.6 SP2 HF3
SINAMICS STARTER: before 5.4 HF1
CPE2.3- cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pdm:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_step_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinamics_starter:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-20-161-05
https://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Unquoted Search Path or Element
EUVDB-ID: #VU28936
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-7580
CWE-ID:
CWE-428 - Unquoted Search Path or Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exist due to a component within the affected application that regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. A local administrator can execute arbitrary code with SYSTEM level privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC Automation Tool: All versions
SIMATIC NET PC Software: 16
SIMATIC PCS 7: All versions
SIMATIC PCS neo: All versions
SIMATIC ProSave: All versions
SIMATIC S7-1500 Software Controller: All versions
SIMATIC STEP 7: before 5.6 SP2 HF3
SIMATIC STEP 7 (TIA Portal): 13.0 - 16.0
SIMATIC WinCC OA: before 3.16-P018
SIMATIC WinCC Runtime Professional: 13.0 - 16.0
Siemens SIMATIC WinCC: before 7.4 SP1 Update 14
SINAMICS Startdrive: All versions
SINEC NMS: All versions
SINEMA Server: All versions
SINUMERIK ONE virtual: All versions
SINUMERIK Operate: All versions
CPE2.3- cpe:2.3:a:siemens:simatic_automation_tool:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_net_pc_software:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_net_pc_software:16:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_prosave:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_s7-1500_software_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_step_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_step_7_tia_portal:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_step_7_tia_portal:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_oa:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_professional:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siemens_simatic_wincc:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinamics_startdrive:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinema_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_one_virtual:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_operate:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-20-161-04
https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
