Full Report
An attacker with access to the project file could run arbitrary system commands with the privileges of the local database server. The vulnerability could be exploited by an attacker with access to the project file. The vulnerability does impact the confidentiality, integrity, and availability of the affected system.
Analysis Summary
# Vulnerability: Remote Code Execution via Specially Crafted Project Files in Siemens SIMATIC WinCC and PCS 7
## CVE Details
- **CVE ID:** CVE-2019-10916
- **CVSS Score:** 9.0 (High/Critical) - *Note: While the text provides a calculator link for 0.0, the vector string provided (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) calculates to 9.0 in CVSS v3.1.*
- **CWE:** CWE-94 (Improper Control of Generation of Code / Code Injection) - *Inferred from "run arbitrary system commands"*
## Affected Systems
- **Products:**
- SIMATIC PCS 7
- SIMATIC WinCC (TIA Portal)
- SIMATIC WinCC Runtime Professional
- SIMATIC WinCC V7.x
- **Versions:**
- SIMATIC PCS 7: V8.0, V8.1, V8.2, V9.0 (All versions)
- SIMATIC WinCC (TIA Portal): V13, V14, V15 (All versions)
- SIMATIC WinCC Runtime Professional: V14, V15 (All versions)
- SIMATIC WinCC: V7.2 and earlier, V7.3, V7.4, V7.5 (Versions prior to V7.5 Update 3)
- **Configurations:** The vulnerability is triggered when a user or system opens/processes a malicious project file.
## Vulnerability Description
An improper input validation flaw exists in the way the affected software handles project files. An attacker can create a specially crafted project file that, when accessed by the system, allows the execution of arbitrary system commands. These commands are executed with the privileges of the local database server, potentially granting the attacker full control over the underlying operating system and the ICS environment.
## Exploitation
- **Status:** Proof of Concept (PoC) available.
- **Complexity:** Low.
- **Attack Vector:** Network (Targeted via the delivery of a malicious project file, though requires High privileges or access to the project file location).
## Impact
- **Confidentiality:** High (Full access to database and system information).
- **Integrity:** High (Ability to modify project data and system settings).
- **Availability:** High (Ability to crash the service or delete critical project files).
## Remediation
### Patches
Siemens has released several updates to address this vulnerability:
- **SIMATIC WinCC V7.5:** Update to V7.5 Update 3 or later.
- **Other Products:** Users should check the Siemens Industry Online Support portal for specific updates for TIA Portal and PCS 7.
### Workarounds
- **Strict Access Control:** Limit file-system access to project files to authorized users only.
- **File Integrity:** Ensure project files are only received and opened from trusted, verified sources.
- **Principle of Least Privilege:** Ensure the database server service is running with the minimum necessary privileges to reduce the impact of command execution.
## Detection
- **Indicators of Compromise:** Unusual child processes spawned by the database server process (e.g., `cmd.exe` or `powershell.exe` originating from the SQL server instance linked to WinCC).
- **Detection Methods:** Monitor file integrity for changes to project structures and audit system logs for unauthorized command-line activity.
## References
- **Vendor Advisory:** hxxps://support.industry.siemens.com/cs/ww/en/view/109767227
- **NVD Detail:** hxxps://nvd.nist.gov/vuln/detail/CVE-2019-10916
- **Kaspersky ICS CERT:** hxxps://ics-cert.kaspersky[.]com/advisories/2019/05/16/klcert-19-025-siemens-simatic-wincc-and-simatic-pcs-7-remote-code-execution-using-specially-crafted-project-files/