Full Report
A vulnerability was identified in OPC Foundation Local Discovery Server which also affects Siemens products that could allow an attacker to escalate privileges under certain circumstances. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Privilege Escalation in Siemens Products via OPC Foundation Local Discovery Server (LDS)
## CVE Details
- CVE ID: CVE-2022-44725
- CVSS Score: 7.8 (High)
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products:
- OpenPCS 7
- SIMATIC NET PC Software
- SIMATIC Process Historian 2020 OPC UA Server
- SIMATIC Process Historian 2022 OPC UA Server (in context of SIMATIC PCS neo)
- SIMATIC WinCC
- SIMATIC WinCC Runtime Professional
- TeleControl Server Basic (Addressed in V1.4 update)
- Versions:
- OpenPCS 7 V9.1: All versions affected. (No fix planned)
- SIMATIC NET PC Software V14, V15: All versions affected. (No fix planned)
- SIMATIC NET PC Software V16: All versions < V16 Update 8.
- SIMATIC NET PC Software V17: All versions < V17 SP1 Update 1.
- SIMATIC NET PC Software V18: All versions < V18 Update 1.
- SIMATIC Process Historian 2020 OPC UA Server: All versions affected. (No fix planned)
- SIMATIC Process Historian 2022 OPC UA Server: All versions < V2022 SP1 (when used in context of SIMATIC PCS neo).
- SIMATIC WinCC: All versions < V8.0.
- SIMATIC WinCC Runtime Professional: Specific vulnerable versions were addressed in Update V1.2.
- Configurations: Vulnerability arises when the OPC Foundation LDS component, running as a high-privilege user, loads a configuration file located at a hard-coded path.
## Vulnerability Description
The OPC Foundation Local Discovery Server (LDS) component, integrated into various Siemens products, utilizes a hard-coded file path to access a configuration file. This flaw allows a local, low-privileged attacker to create a malicious file in that specific path. When the LDS service executes (running with elevated privileges), it subsequently loads this malicious file, leading to potential privilege escalation.
## Exploitation
- Status: PoC available (Implied by the nature of the flaw and CVE severity, though not explicitly confirmed as exploited in the wild in this text).
- Complexity: Low (Requires local access to create the file on a high-privilege path).
- Attack Vector: Local (L:L)
## Impact
The CVSS vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` indicates:
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
Users should update to the specified versions or later to mitigate CVE-2022-44725:
- **SIMATIC NET PC Software V16:** Update to V16 Update 8 or later.
- **SIMATIC NET PC Software V17:** Update to V17 SP1 Update 1 or later.
- **SIMATIC NET PC Software V18:** Update to V18 Update 1 or later.
- **SIMATIC Process Historian 2022 OPC UA Server:** Update to SIMATIC PCS neo V4.1 or later (for this specific context).
- **SIMATIC WinCC:** Update to V8.0 or later.
**Note:** For OpenPCS 7 V9.1, SIMATIC NET PC Software V14/V15, and SIMATIC Process Historian 2020 OPC UA Server, Siemens currently states **no fix is planned**.
### Workarounds
Specific countermeasures are recommended for products where fixes are not available or not yet released. Refer to the vendor advisory for the detailed section "Workarounds and Mitigations." (Specific details not fully provided in the summary extract, but mitigation advice exists).
## Detection
- Indicators of compromise would likely involve unauthorized file creation within system directories that the LDS process has access to execute from.
- Detection methods would involve active file integrity monitoring on system directories where configuration files are suspected to be loaded by services running with elevated privileges.
## References
- Vendor Advisories: SSA-691715
- Relevant Links:
- Siemens Security Advisory Portal: hxxps://www.siemens.com/cert/advisories
- Siemens Terms of Use: hxxps://www.siemens.com/productcert/terms-of-use