Full Report
A vulnerability was found in SIMATIC WinCC that could allow authenticated attackers to escape the Kiosk Mode. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: SIMATIC WinCC Kiosk Mode Escape
## CVE Details
- **CVE ID:** CVE-2022-24287
- **CVSS Score:** 7.8 (High)
- **CVSS Vector:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- **CWE:** CWE-1188 (Insecure Default Initialization of Resource)
## Affected Systems
- **Products:**
- SIMATIC PCS 7 (V8.2, V9.0, V9.1)
- SIMATIC WinCC (V7.3, V7.4, V7.5)
- SIMATIC WinCC Runtime Professional (V16 and earlier, V17)
- **Versions:**
- PCS 7 V9.0: < V9.0 SP3 UC06
- PCS 7 V9.1: < V9.1 SP1 UC01
- WinCC V7.4: < V7.4 SP1 Update 21
- WinCC V7.5: < V7.5 SP2 Update 8
- WinCC Runtime Professional V17: < V17 Update 4
- *Note: PCS 7 V8.2, WinCC V7.3, and WinCC Runtime Prof. V16 (and earlier) have no planned fixes.*
- **Configurations:** Systems where a printer configuration is missing or improperly initialized on the host.
## Vulnerability Description
An improper initialization flaw exists in how SIMATIC WinCC handles printer configurations. If a host lacks a configured default printer, an authenticated local attacker can exploit this missing configuration to bypass the "Kiosk Mode" restrictions. Kiosk Mode is intended to lock the user into the WinCC application interface; escaping it allows the attacker to access the underlying operating system.
## Exploitation
- **Status:** Proof of Concept (PoC) available (denoted by "E:P" in CVSS vector)
- **Complexity:** Low
- **Attack Vector:** Local (Requires authenticated local access to the system)
## Impact
- **Confidentiality:** High (Full access to host files and data)
- **Integrity:** High (Ability to modify system settings and files)
- **Availability:** High (Ability to disrupt system operations or shut down the host)
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SIMATIC PCS 7 V9.0:** Update to V9.0 SP3 UC06 (includes WinCC V7.4 SP1 Update 21)
- **SIMATIC PCS 7 V9.1:** Update to V9.1 SP1 UC01 (includes WinCC V7.5 SP2 Update 8)
- **SIMATIC WinCC V7.4:** Update to V7.4 SP1 Update 21
- **SIMATIC WinCC V7.5:** Update to V7.5 SP2 Update 8
- **SIMATIC WinCC Runtime Professional V17:** Update to V17 Update 4
### Workarounds
For versions where no fix is planned or until patches can be applied:
- **Printer Configuration:** Ensure at least one default physical printer is installed on the host.
- **Remove Virtual Printers:** Do not install file-based printers (e.g., PDF or XPS writers) on the affected system.
- **Host Hardening:** Restrict physical and local remote access to the host machine to trusted personnel only.
## Detection
- **Indicators of Compromise:** Unusual OS-level activity originating from a Kiosk-mode account (e.g., execution of cmd.exe, powershell.exe, or file explorer).
- **Detection Methods:** Monitor system logs for unauthorized process creation or access to restricted system directories by low-privileged WinCC users.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-363107.pdf
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- **Support Links:**
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109806846/ (V7.4)
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109793460/ (V7.5)