Full Report
Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms and do not implement state-of-the-art security mechanisms for authentication and encryption of contents. Starting with WinCC V8.0 the legacy OPC services are no longer enabled by default in new installations. Siemens recommends to use OPC UA instead and to disable the legacy OPC services. For deployments where the legacy OPC services are still in use, ensure that only trusted users are part of the SIMATIC HMI group.
Analysis Summary
# Vulnerability: Use of Obsolete Function Vulnerability in SIMATIC WinCC
## CVE Details
- **CVE ID:** CVE-2023-28829
- **CVSS Score:** 3.9 (Low) - `CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L`
- **CWE:** CWE-477 (Use of Obsolete Function)
## Affected Systems
- **Products:**
- SIMATIC WinCC
- SIMATIC NET PC Software (V14, V15)
- SIMATIC PCS 7 (V8.2, V9.0, V9.1)
- SINAUT Software ST7sc
- **Versions:**
- SIMATIC WinCC: All versions prior to V8.0
- Other listed products: All versions
- **Configurations:** Systems utilizing legacy OPC services (OPC DA, OPC HDA, and OPC AE) enabled by default or manually.
## Vulnerability Description
Legacy OPC services (Data Access, Historical Data Access, and Alarms & Events) in affected versions were built using Windows ActiveX and DCOM mechanisms. These protocols are now considered obsolete as they lack contemporary security standards for robust authentication and data encryption. By default, versions of SIMATIC WinCC prior to V8.0 rely on these insecure communication methods, potentially exposing industrial data to unauthorized access or modification if the network is compromised.
## Exploitation
- **Status:** PoC available (Exploit Code Maturity: [P]roof-of-Concept)
- **Complexity:** High (Requires specific environmental conditions and high privileges)
- **Attack Vector:** Adjacent (Requires access to the local or adjacent network)
## Impact
- **Confidentiality:** Low (Limited risk of unauthorized data disclosure)
- **Integrity:** Low (Limited risk of unauthorized data modification)
- **Availability:** Low (Limited risk of service disruption)
## Remediation
### Patches
- **SIMATIC WinCC:** Update to **V8.0** or later. In V8.0, legacy OPC services are disabled by default for new installations.
### Workarounds
- **Disable Legacy Services:** Manually disable OPC DA, OPC HDA, and OPC AE services.
- **Protocol Migration:** Transition from legacy OPC to **OPC UA**, which supports modern security and encryption.
- **Access Control (SIMATIC HMI group):** Ensure only highly trusted users are members of the "SIMATIC HMI" Windows group.
- **Access Control (SIMATIC NET):** For SIMATIC NET PC Software deployments, strictly limit the "SIMATIC Net" group to trusted personnel only.
## Detection
- **Indicators of Compromise:** Unusual DCOM/ActiveX traffic patterns on the network; unauthorized additions to the SIMATIC HMI or SIMATIC Net local user groups.
- **Detection methods and tools:** Audit active services to identify running `opcenum.exe` or specific legacy OPC server executables. Monitor network traffic for unencrypted OPC Classic communication on DCOM-related ports.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-508677[.]pdf
- **Siemens Support Portal:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109816599/
- **Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security