Full Report
Affected products do not properly restrict access permissions to a local Windows Named Pipe and do not properly sanitize user-controllable input sent to that Named Pipe. This could allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application and its privileges. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Deserialization and Type Confusion in Siemens Engineering Platforms
## CVE Details
- **CVE ID:** CVE-2024-54678
- **CVSS Score:** 8.2 (High) [v3.1] / 8.6 (High) [v4.0]
- **CWE:** CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products:**
- SIMATIC PCS neo (V4.1, V5.0, V6.0)
- SIMATIC S7-PLCSIM V17
- Totally Integrated Automation Portal (TIA Portal) V17
- SIMATIC STEP 7 V17
- SIMATIC WinCC V17
- SIMOCODE ES V17
- SIMOTION SCOUT TIA V5.4
- SINAMICS Startdrive V17
- SIRIUS Safety ES V17
- **Versions:**
- STEP 7 and WinCC: All versions < V17 Update 9
- PCS neo and others: All versions listed above (see Remediation for specifics)
- **Configurations:** Systems utilizing Windows Named Pipes for Interprocess Communication (IPC).
## Vulnerability Description
Affected Siemens products fail to properly restrict access permissions on local Windows Named Pipes and do not sanitize user-controllable input sent through these pipes. Specifically, the application improperly handles the deserialization of data received via IPC. A local authenticated attacker can exploit this by sending crafted input to the Named Pipe, leading to a type confusion. Success allows for arbitrary code execution with the privileges of the affected application.
## Exploitation
- **Status:** Not exploited (publicly available information does not indicate active exploitation or PoC)
- **Complexity:** Low
- **Attack Vector:** Local (Requires local authentication and user interaction/UI:R)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **SIMATIC STEP 7 V17:** Update to V17 Update 9 or later.
- **SIMATIC WinCC V17:** Update to V17 Update 9 or later.
- **TIA Portal V20:** Fix versions available (per advisory history).
- **Other V17 Products:** Check Siemens Industry Online Support for specific update packages.
### Workarounds
- For **PCS neo (V4.1, V5.0, V6.0)** and **S7-PLCSIM V17**: No fix is currently planned or available.
- **General Mitigations:**
- Restrict physical and interactive local access to engineering workstations to trusted personnel only.
- Implement the "Least Privilege" principle for all local user accounts.
- Follow Siemens' general security recommendations for protecting industrial environments.
## Detection
- **Indicators of Compromise:** Monitor for unusual processes spawning from Siemens engineering software or unauthorized connections/data being sent to local Named Pipes.
- **Detection methods and tools:** Use Windows Event Logs or Endpoint Detection and Response (EDR) tools to audit Named Pipe creation and access (Event ID 17 and 18 in Sysmon).
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-693808.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories
- **Download Link (Update 9):** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109784441/