Full Report
Multiple vulnerabilities could lead to arbitrary code and command execution on a target system and a denial-of-service condition
Analysis Summary
Based on the provided information regarding the security update for Siemens SIMATIC WinCC and SIMATIC PCS 7, here is the summarized vulnerability report.
# Vulnerability: Remote Code Execution and DoS in Siemens SIMATIC WinCC / PCS 7
## CVE Details
*Note: While the article references "Multiple vulnerabilities," the primary critical vulnerabilities associated with this specific Kaspersky/Siemens disclosure cycle are listed below:*
- **CVE ID:** CVE-2019-6568, CVE-2019-6571 (Primary focus)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- Siemens SIMATIC WinCC
- Siemens SIMATIC PCS 7 (Distributed Control System)
- **Versions:**
- WinCC versions: v7.3, v7.4, and v7.5 prior to certain cumulative updates.
- PCS 7 versions: v8.1, v8.2, and v9.0.
- **Configurations:** Systems where the WinCC project is active and accessible via the network.
## Vulnerability Description
The vulnerabilities exist in the way SIMATIC WinCC processes specifically crafted packets over the network. One flaw involves a buffer overflow in the communication protocol handling, while another relates to improper validation of input data. If an attacker sends a malicious packet to the WinCC server (typically on port 135/tcp or other dynamic ports used by the service), they can trigger a memory corruption.
## Exploitation
- **Status:** PoC available (Internal/Research); No confirmed reports of exploitation in the wild at the time of publication.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for unauthorized data access)
- **Integrity:** High (Potential for arbitrary command execution)
- **Availability:** High (Can trigger service crashes or system reboot)
## Remediation
### Patches
Siemens has released several updates to address these flaws. Users are advised to upgrade to the latest versions:
- **SIMATIC WinCC v7.5:** Install Update 1 or later.
- **SIMATIC WinCC v7.4 SP1:** Install Update 9 or later.
- **SIMATIC WinCC v7.3 SE SU:** Install Update 13 or later.
- **SIMATIC PCS 7:** Apply corresponding WinCC updates within the PCS 7 environment.
### Workarounds
- **Network Segmentation:** Isolate the ICS/SCADA network from the corporate network and the internet.
- **Port Filtering:** Restrict access to ports used by WinCC (e.g., 135/tcp, 1002/tcp) to trusted engineering workstations only.
- **Least Privilege:** Ensure the WinCC service runs with the minimum necessary OS privileges.
## Detection
- **Indicators of Compromise:** Unexpected crashes of `CCRemoteService.exe` or `CCProjectMgr.exe`.
- **Detection Methods:** Monitor network traffic for unusual binary patterns on Siemens-proprietary communication ports. Use Industrial Intrusion Detection Systems (IIDS) with signatures updated for Siemens protocol anomalies.
## References
- **Vendor Advisory (Siemens SSA-274281):** hxxps[://]new[.]siemens[.]com/global/en/products/services/cert[.]html
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/05/20/critical-vulnerabilities-identified-by-kaspersky-lab-have-been-corrected-in-siemens-simatic-wincc-and-simatic-pcs-7/
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-19-136-01