Siemens Security Advisory by Siemens ProductCERT SSA-134508: Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC in TIA Portal Publication Date Last Update Current Version CVSS Overall Score 2014-11-21 2015-02-06 V1.4 8.3 Summary: The latest software update for SIMATIC WinCC fixes two critical vulnerabilities. One could allow unauthenticated remote code execution. Both vulnerabilities are resolved with the updates discussed below. AFFECTED PRODUCTS SIMATIC WinCC: o V7.0 SP3 and earlier versions o V7.2: All versions < V7.2 Update 9 o V7.3: All versions < V7.3 Update 2 SIMATIC PCS 7 (as WinCC is incorporated): o V7.1 SP4 and earlier versions o V8.0: All versions < V8.0 SP2 with WinCC V7.2 Update 9 o V8.1: All versions with WinCC V7.3 < V8.1 with WinCC V7.3 Update 2 TIA Portal V13 (including WinCC Professional Runtime): All versions < V13 Update 6 DESCRIPTION SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system, PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC, and TIA Portal is an engineering software for SIMATIC products. Detailed information about the vulnerabilities is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. Vulnerability 1 (CVE-2014-8551) A component within WinCC could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server. CVSS Base Score CVSS Temporal Score CVSS Overall Score 10.0 8.3 8.3 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C) Vulnerability 2 (CVE-2014-8552) A component within WinCC could allow unauthenticated users to extract arbitrary files from the WinCC server if specially crafted packets are sent to the server. SSA-134508 © Siemens AG 2015 Page 1 of 3 Siemens Security Advisory by Siemens ProductCERT CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.8 6.1 6.1 (AV:N/AC:L/Au:N/C:C/I:N/A:N/E:POC/RL:OF/RC:C) Mitigating factors The attacker must have network access to the affected system. SOLUTION Siemens has released updates for the following products and strongly encourages customers to upgrade to the new versions as soon as possible: WinCC V7.0: Upgrade to WinCC V7.0 SP2 Update 11 [6] WinCC V7.0 SP3: Upgrade to WinCC V7.0 SP3 Update 7 [8] WinCC V7.2: Upgrade to WinCC V7.2 Update 9 [2] WinCC V7.3: Upgrade to WinCC V7.3 Update 2 [3] PCS 7 V7.1 SP4: o Upgrade to WinCC V7.0 SP2 Update 11 [6] o Upgrade to OpenPCS 7 V7.1 SP4 Update 1 [7] o Upgrade to Route Control V7.1 SP2 Update 5 [7] o Upgrade to BATCH V7.1 SP1 Update 19 [7] o Upgrade to BATCH V7.1 SP2 Update 8 [7] PCS 7 V8.0 SP2: o Upgrade to WinCC V7.2 Update 9 [2] o Upgrade to OpenPCS 7 V8.0 SP1 Update 5 [4] o Upgrade to Route Control V8.0 SP1 Update 4 [4] o Upgrade to BATCH V8.0 SP1 Update 11 [4] PCS 7 V8.1: o Upgrade to WinCC V7.3 Update 2 [3] o Upgrade to OpenPCS 7 V8.1 Update 1 [5] o Upgrade to Route Control V8.1 Update 1 [5] o Upgrade to BATCH V8.1 Update 1 [5] TIA Portal V13 (including WinCC Professional Runtime): Upgrade to WinCC V13 Update 6 [1] Until the updates can be deployed, Siemens advises to apply the following steps to mitigate the risk: Always run WinCC server and engineering stations within a trusted network Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. activate feature “Encrypted Communications” in WinCC V7.3, or establish a VPN tunnel) Restrict access to the WinCC server to trusted entities Apply up-to-date application whitelisting software and virus scanners As a general security measure, Siemens strongly recommends to protect network access to the SIMATIC WinCC server with appropriate mechanisms. It is also advised to follow SSA-134508 © Siemens AG 2015 Page 2 of 3 Siemens Security Advisory by Siemens ProductCERT recommended security practices [11] and to configure the environment according to operational guidelines [9] in order to run the devices in a protected IT environment. ACKNOWLEDGEMENT Siemens thanks the following for their support and coordination efforts: Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Symantec Deepsight Intelligence ADDITIONAL RESOURCES [1] Updates for WinCC Runtime Professional V13: http://support.automation.siemens.com/WW/view/en/90527654 [2] Update 9 for WinCC 7.2: http://support.automation.siemens.com/WW/view/en/104151435 [3] Update 2 for WinCC 7.3: http://support.automation.siemens.com/WW/view/en/105898606 [4] Updates for PCS 7 V8.0 SP2: http://support.automation.siemens.com/WW/view/en/106224418 [5] Updates for PCS 7 V8.1: http://support.automation.siemens.com/WW/view/en/106226042 [6] Update 11 for WinCC 7.0 SP2: http://support.automation.siemens.com/WW/view/en/107174184 [7] Update for PCS 7 V7.1 SP4: http://support.automation.siemens.com/WW/view/en/106226043 [8] Update 7 for WinCC 7.0 SP3: http://support.automation.siemens.com/WW/view/en/109253830 [9] An overview of the operational guidelines for Industrial Security (with the cell protection concept): https://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf [10] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [11] Recommended security practices by ICS-CERT: http://ics-cert.us-cert.gov/content/recommended-practices [12] For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2014-11-21): V1.1 (2014-11-28): V1.2 (2014-12-11): V1.3 (2014-12-16): V1.4 (2015-02-06): Publication Date Added updates for PCS 7 V8.0 SP2 Added updates for PCS 7 V8.1 and WinCC 7.0 SP2 Added updates for PCS 7 V7.1 SP4 Added updates for WinCC 7.0 SP3 DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-134508 © Siemens AG 2015 Page 3 of 3