Full Report
TIA Portal contains a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system. If the user is tricked to open a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Path Traversal Leading to Arbitrary File Write and Potential RCE in TIA Portal
## CVE Details
- CVE ID: CVE-2023-26293
- CVSS Score: 7.3 (High) based on CVSS v3.1 vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products: Totally Integrated Automation Portal (TIA Portal)
- Versions:
- TIA Portal V15: All versions affected (No fix planned).
- TIA Portal V16: All versions prior to V16 Update 7.
- TIA Portal V17: All versions prior to V17 Update 6.
- TIA Portal V18: All versions prior to V18 Update 1.
- Configurations: Exploitation requires the user to open a malicious PC system configuration file.
## Vulnerability Description
The vulnerability is a path traversal flaw within TIA Portal. This flaw could permit an attacker to create or overwrite arbitrary files on the engineering system. If a user is induced to open a maliciously crafted PC system configuration file, this vulnerability could be leveraged to achieve arbitrary code execution.
## Exploitation
- Status: PoC available (Implied by CVSS vector field E:P - Proof of existence)
- Complexity: Low (AC:L - Attack Complexity Low)
- Attack Vector: Local (AV:L) - Requires local file interaction, though the trigger is a malicious file opening (User interaction required: UI:R).
## Impact
- Confidentiality: High ($\text{C:H}$)
- Integrity: High ($\text{I:H}$)
- Availability: Low ($\text{A:L}$)
*(Note: The primary impact chain leads to potential RCE, which covers the high C and I scores associated with file overwrite/creation that facilitates code execution.)*
## Remediation
### Patches
- **TIA Portal V16:** Update to V16 Update 7 or later version.
- **TIA Portal V17:** Update to V17 Update 6 or later version.
- **TIA Portal V18:** Update to V18 Update 1 or later version.
- **TIA Portal V15:** Currently, no fix is planned.
### Workarounds
1. **Primary Workaround:** Do not open untrusted project files or PC system configuration files.
2. Follow Siemens' general security recommendations and operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Indicators may be subtle and localized to file system activity (creation/modification of unexpected system or configuration files) occurring after loading untrusted project files.
- **Detection Methods and Tools:** Monitor access and modification events related to critical system and configuration directories when TIA Portal processes external files originating from untrusted sources.
## References
- Siemens Advisory Link: hxxps://cert-portal.siemens.com/productcert/html/ssa-116924.html
- TIA Portal V16 Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109775861/
- TIA Portal V17 Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109784441/
- TIA Portal V18 Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109817218/
- Siemens Industrial Security: hxxps://www.siemens.com/industrialsecurity