Full Report
A Denial-of-Service vulnerability was found in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC software when encrypted communication is enabled. The vulnerability could allow an attacker with network access to cause a Denial-of-Service condition under certain circumstances (versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are not affected as encrypted communication is not an option). Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available. Note: The vulnerability is part of a shared component, used by various Siemens products (SIMATIC Communication Services - SCS). The installation of a fix version of any product also removes the vulnerability for other products on the same system, even if those products were not updated.
Analysis Summary
# Vulnerability: Denial-of-Service in SIMATIC Communication Services (SCS)
## CVE Details
- **CVE ID:** CVE-2019-19282
- **CVSS Score:** 7.5 (High)
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C`
- **CWE:** CWE-131: Incorrect Calculation of Buffer Size
## Affected Systems
- **Products:** SIMATIC PCS 7, SIMATIC WinCC (including TIA Portal), SIMATIC NET PC Software, SIMATIC BATCH, OpenPCS 7, and SIMATIC Route Control.
- **Versions:**
- SIMATIC PCS 7: V8.1 (all), V8.2 (all), V9.0 (< V9.0 SP3).
- SIMATIC WinCC: V7.3, V7.4 (< V7.4 SP1 Upd 14), V7.5 (< V7.5 SP1).
- SIMATIC WinCC (TIA Portal): V14 (< V14 SP1 Upd 10), V15 (< V15.1 Upd 5), V16 (< V16 Upd 1).
- SIMATIC NET PC Software: V14 (< V14 SP1 Upd 14), V15 (all), V16 (< V16 Upd 1).
- SIMATIC BATCH: V8.1 (all), V8.2 (< V8.2 Upd 12), V9.0 (< V9.0 SP1 Upd 5).
- **Configurations:** Only systems with **encrypted communication enabled** are vulnerable. Versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are unaffected as they do not support this feature.
## Vulnerability Description
The vulnerability exists in the **SIMATIC Communication Services (SCS)**, a shared component used across multiple Siemens ICS product lines. Due to an incorrect calculation of buffer size (CWE-131), the service fails to properly handle specific packets when encrypted communication is active. An attacker can exploit this flaw to crash the service, resulting in a Denial-of-Service (DoS) condition for the affected software.
## Exploitation
- **Status:** Proof-of-Concept (PoC) available (denoted by "E:P" in CVSS vector).
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is the loss of availability of the SIMATIC communication functions).
## Remediation
### Patches
Siemens has released several updates. Note that because this is a shared component (SCS), **installing a fix for one affected product on a system typically secures all other Siemens products on that same system.**
- **SIMATIC WinCC V7.4:** Update to V7.4 SP1 Update 14 or later.
- **SIMATIC PCS 7 V9.0:** Update to V9.0 SP3 or later.
- **SIMATIC NET PC Software V16:** Update to V16 Update 1 or later.
- **SIMATIC BATCH V8.2:** Update to V8.2 Upd 12.
- **SIMATIC WinCC (TIA Portal):** Update to V16 Update 1, V15.1 Update 5, or V14 SP1 Update 10 depending on base version.
### Workarounds
For products where no fix is planned (e.g., SIMATIC PCS 7 V8.1, SIMATIC NET PC V15):
- Disable encrypted communication if the environment allows.
- Implement defense-in-depth: Ensure the affected systems are not exposed to untrusted networks.
- Use firewalls to restrict access to the communication ports only to authorized nodes.
## Detection
- **Indicators of Compromise:** Unexpected crashing or restarting of SIMATIC Communication Services.
- **Detection Methods:** Monitor network traffic for malformed packets targeting Siemens communication ports. Use industrial IDS/IPS signatures specifically tuned for SIMATIC protocol anomalies.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-270778.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories
- **Update Link (PCS 7 V9.0 SP3):** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109780584/