Full Report
TIA Project-Server formerly known as TIA Multiuser Server contains an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Untrusted Search Path in TIA Project-Server/Multiuser Server
## CVE Details
- CVE ID: CVE-2022-35868
- CVSS Score: 6.7 (Medium)
- CWE: CWE-426: Untrusted Search Path
## Affected Systems
- Products: TIA Multiuser Server, TIA Project-Server
- Versions:
- TIA Multiuser Server V14 (All versions)
- TIA Multiuser Server V15 (All versions < V15.1 Update 8)
- TIA Project-Server (All versions < V1.1)
- TIA Project-Server V16 (All versions)
- TIA Project-Server V17 (All versions < V17 Update 6)
- Configurations: Vulnerability requires tricking a legitimate user to start the service from an attacker-controlled path.
## Vulnerability Description
The affected versions of TIA Project-Server (formerly TIA Multiuser Server) contain an untrusted search path vulnerability. This flaw could allow a local attacker to gain elevated privileges if they can successfully trick a legitimate, authorized user into starting the service while the current working directory is controlled by the attacker.
## Exploitation
- Status: PoC available (Implied by the CVSS vector E:P - Proof of Concept)
- Complexity: High (AC:H - Attack Complexity High, combined with UI:R - User Interaction Required)
- Attack Vector: Local
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- **TIA Multiuser Server V15:** Update to V15.1 Update 8 or later.
- **TIA Project-Server (General):** Update to V1.1 or later.
- **TIA Project-Server V17:** Update to V17 Update 6 or later.
- **TIA Project-Server V16 & TIA Multiuser Server V14:** Currently, no fix is planned. Users must migrate to a newer version (TIA Project-Server V1.1 or later recommended).
### Workarounds
1. **Working Directory Control:** Ensure that the directory set as the working directory when starting the TIA Project-Server or TIA Multiuser Server does not contain untrusted files (i.e., files placed by an attacker).
2. **Migration:** For products without an immediate patch (V14, V16), migrate to TIA Project-Server V1.1 or a later version.
3. **General Security:** Protect network access to devices using appropriate mechanisms and configure the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Unusual process execution originating from user-controlled directories when launching TIA Project-Server or TIA Multiuser Server.
- **Detection Methods and Tools:** Monitor system activity for processes initiating the server components from paths that are writable or controllable by lower-privileged users. General endpoint detection and response (EDR) tools can monitor spawned processes.
## References
- Siemens Advisory SSA-640968: hxxps://cert-portal.siemens.com/productcert/html/ssa-640968.html
- TIA Portal V15 Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109763893/
- TIA Project-Server V1.1 Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109810588/
- TIA Project-Server V17 Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109800915/
- General Operational Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security