Full Report
The Administration Console of SIMATIC PCS neo leaks Windows admin credentials. An attacker with local Windows access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems. Siemens has released a security patch for the affected products and recommends to install the patch.
Analysis Summary
# Vulnerability: Sensitive Information Disclosure in SIMATIC PCS neo Administration Console
## CVE Details
- **CVE ID:** CVE-2023-38558
- **CVSS Score:** 5.5 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- **CWE:** CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
## Affected Systems
- **Products:** SIMATIC PCS neo (Administration Console)
- **Versions:**
- V4.0 (All versions)
- V4.0 Update 1 (All versions)
- **Configurations:** Systems utilizing the Administration Console for remote deployment of AC Agents.
## Vulnerability Description
The SIMATIC PCS neo Administration Console improperly handles sensitive data, leading to the leakage of Windows administrator credentials. The vulnerability resides in how the application stores or transmits credentials during administrative tasks, such as remote agent deployment. An attacker with local access to the Administration Console can extract these credentials from the filesystem or memory.
## Exploitation
- **Status:** PoC available (indicated by CVSS Exploit Code Maturity: "Proof-of-Concept")
- **Complexity:** Low
- **Attack Vector:** Local (Requires local Windows access to the Administration Console)
## Impact
- **Confidentiality:** High (Leakage of administrative credentials)
- **Integrity:** None (Directly from the flaw, though compromised credentials can lead to integrity loss via impersonation)
- **Availability:** None (Directly from the flaw)
- **Downstream Impact:** An attacker can impersonate the admin user to gain unauthorized administrative access to other linked Windows systems within the network.
## Remediation
### Patches
Siemens recommends installing **Security Patch 01** for the affected versions:
- [https://support.industry.siemens.com/cs/ww/en/view/109824065/](https://support.industry.siemens.com/cs/ww/en/view/109824065/)
### Workarounds
If patching is not immediately possible, implement the following:
- **Credential Rotation:** Change the passwords of Windows accounts previously used for the remote deployment of AC Agents.
- **Restrict Deployment:** Avoid using the "remotely deploy AC Agents" feature until the patch is applied.
- **Access Control:** Restrict local access to the Windows host running the Administration Console to trusted personnel only.
## Detection
- **Indicators of Compromise:** Unusual administrative logins originating from the Administration Console host to other systems on the network.
- **Detection Methods:** Monitor for unauthorized access to local files or directories associated with the SIMATIC PCS neo Administration Console logs and configuration paths. Use EDR/SIEM tools to audit account usage associated with AC Agent deployment.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-646240.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-646240.pdf)
- **Siemens Industrial Security Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)