Full Report
Affected products contain a local arbitrary code execution vulnerability that could allow an attacker to perform actions against the operation system of that environment. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available. Siemens has released products based on the Totally Integrated Automation Portal (TIA Portal) V20 which are not affected by CVE-2024-52051. See the chapter “Additional Information” below for more details.
Analysis Summary
# Vulnerability: Local Arbitrary Code Execution in Siemens Engineering Platforms
## CVE Details
- **CVE ID:** CVE-2024-52051
- **CVSS Score:** 7.3 (High) - CVSS v3.1 / 7.0 (High) - CVSS v4.0
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:** Various TIA Portal-based engineering platforms and simulation tools.
- **Versions:**
- **SIMATIC STEP 7 / WinCC / Safety (V17):** Versions < V17 Update 9
- **SIMATIC STEP 7 / WinCC / Safety (V18/V19):** Specific versions (Fixes released in TIA Portal V19 and V17 Update 9)
- **SIMATIC S7-PLCSIM:** V17 and V18 (All versions)
- **SIMOCODE ES:** V17 (All versions)
- **SIMOTION SCOUT TIA:** V5.4, V5.5, V5.6 (All versions)
- **SINAMICS Startdrive:** V17 (All versions)
- **SIRIUS Safety ES / Soft Starter ES:** V17 (All versions)
- **TIA Portal Cloud:** V17 (All versions)
- **Configurations:** Systems where an attacker has local access and can influence user settings files.
## Vulnerability Description
The affected products do not properly sanitize user-controllable input when parsing user settings. An attacker can manipulate these settings to trigger improper input validation, leading to the execution of arbitrary commands on the host operating system. The commands are executed with the privileges of the user currently running the application.
## Exploitation
- **Status:** PoC available (Exploitation Proof-of-concept is noted in the CVSS vector `E:P`).
- **Complexity:** Low
- **Attack Vector:** Local (Requires the attacker to have a presence on the machine or convince a user to import malicious settings).
- **User Interaction:** Required (Target user must perform an action, such as opening the application with manipulated settings).
## Impact
- **Confidentiality:** High (Full access to user-accessible data)
- **Integrity:** High (Ability to modify system files and application logic)
- **Availability:** High (Potential for system instability or denial of service)
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **TIA Portal V20:** Not affected by this vulnerability.
- **TIA Portal V17:** Update to V17 Update 9 or later.
- **TIA Portal V19:** Fixes have been integrated (refer to Siemens support for specific update packages).
### Workarounds
For products where fixes are not yet available (e.g., S7-PLCSIM V17/V18):
- Limit access to engineering workstations to authorized personnel only.
- Do not open or import configuration files/settings from untrusted sources.
- Follow the "Operational Guidelines for Industrial Security" provided by Siemens.
## Detection
- **Indicators of Compromise:** Unusual child processes spawning from TIA Portal or PLCSIM processes; unauthorized modifications to user settings files or registry keys associated with Siemens engineering software.
- **Detection methods and tools:** Monitor for suspicious command-line executions (e.g., cmd.exe, powershell.exe) originating from Siemens software binaries. Ensure EDR/AV solutions are active on engineering workstations.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-392859[.]html
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **TIA Portal V17 Update 9 Download:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109784441/