Full Report
Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. Siemens has released a new version for SIMATIC STEP 7 Safety V18 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: .NET BinaryFormatter Deserialization in Siemens STEP 7 Safety
## CVE Details
- CVE ID: CVE-2023-32737
- CVSS Score: 7.0 (CVSS v4.0 High) / 6.3 (CVSS v3.1 Medium)
- CWE: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- Products: Totally Integrated Automation Portal (TIA Portal), SIMATIC STEP 7 Safety
- Versions: SIMATIC STEP 7 Safety V18 (All versions prior to V18 Update 2)
- Configurations: Applications that deserialize user-controllable input using the .NET BinaryFormatter.
## Vulnerability Description
Affected Siemens applications improperly handle deserialization when using the .NET `BinaryFormatter` on user-controllable input. This lack of restriction allows an attacker to induce a **type confusion** vulnerability. Successful exploitation can lead to the execution of arbitrary code within the context of the vulnerable application. This vulnerability is related to known issues with the insecure use of `BinaryFormatter`.
## Exploitation
- Status: Exploitable, as suggested by the CVSS E (Exploitability) metrics (In the public domain/PoC available - implies E:P based on v3.1 vector $E:P$).
- Complexity: High complexity (CVSS v3.1 AC:H - High Attack Complexity), Potential Low (CVSS v4.0 AC:L - Low Attack Complexity). *Note: The CVSS 4.0 vector indicates Low complexity, suggesting this may be easier to exploit than the CVSS 3.1 assessment.*
- Attack Vector: Local (CVSS v3.1 AV:L) or Network (CVSS v4.0 AV:L, though context suggests interaction required, often local or requires specific file access).
## Impact
- Confidentiality: High (Arbitrary code execution likely leads to full system compromise)
- Integrity: High (Arbitrary code execution allows data manipulation)
- Availability: High (Arbitrary code execution can lead to service disruption)
## Remediation
### Patches
- **Totally Integrated Automation Portal (TIA Portal) & SIMATIC STEP 7 Safety V18:** Update to **V18 Update 2 or later version**.
### Workarounds
1. **Input Restriction:** Avoid uploading PLC software from untrusted devices or Memory Cards (MMC cards).
2. **General Security:** Configure the environment according to Siemens' operational guidelines for Industrial Security and follow product manual recommendations to protect network access to devices.
## Detection
- **Indicators of Compromise:** Look for unexpected process execution or system behavior initiated during inputs that involve deserialization or loading configuration/project data, particularly from external sources (e.g., USB, network shares).
- **Detection Methods and Tools:** Monitor application logs for abnormal input processing during BinaryFormatter operations. Apply endpoint detection and response (EDR) tools capable of monitoring process injection related to running Siemens services.
## References
- Vendor Advisories: SSA-313039
- Relevant Links:
- Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109817218/
- Siemens Industrial Security Portal: hxxps://www.siemens.com/industrialsecurity