Full Report
A vulnerability in the login dialog box of SIMATIC WinCC could allow a local attacker to cause a denial of service condition in the runtime of the SCADA system. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in SIMATIC WinCC Login Dialog
## CVE Details
- CVE ID: CVE-2023-50821
- CVSS Score: 6.2 (Medium) (v3.1) / 6.9 (Medium) (v4.0)
- CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- Products:
- SIMATIC PCS 7
- SIMATIC WinCC Runtime Professional
- SIMATIC WinCC V7/V8
- Versions:
- **SIMATIC PCS 7 V9.1:** All versions < V9.1 SP2 UC04
- **SIMATIC WinCC Runtime Professional V17:** All versions < V17 Update 8
- **SIMATIC WinCC Runtime Professional V18:** All versions < V18 Update 4
- **SIMATIC WinCC Runtime Professional V19:** All versions < V19 Update 1
- **SIMATIC WinCC V7.5:** All versions < V7.5 SP2 Update 16
- **SIMATIC WinCC V8.0:** All versions < V8.0 Update 5
- Configurations: Affected components utilize the vulnerable login dialog box logic.
## Vulnerability Description
The vulnerability resides in the input validation mechanism within the login dialog box of the affected SIMATIC SCADA/HMI products. An attacker can leverage this flaw by providing improperly validated input, which the advisory suggests relates to a Buffer Copy without Checking Size of Input (CWE-120), leading to a crash of the runtime environment.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC context implies theoretical exploitability via a local attack.
- Complexity: Low (AV:L/AC:L)
- Attack Vector: Local
## Impact
- Confidentiality: No Impact (C:N)
- Integrity: No Impact (I:N)
- Availability: High Impact (A:H) - Causes a persistent denial of service condition in the SCADA/HMI runtime.
## Remediation
### Patches
Siemens recommends updating to the following minimum versions or later:
- **SIMATIC PCS 7 V9.1:** Update to V9.1 SP2 UC04 or later.
- **SIMATIC WinCC Runtime Professional V17:** Update to V17 Update 8 or later.
- **SIMATIC WinCC Runtime Professional V18:** Update to V18 Update 4 or later.
- **SIMATIC WinCC Runtime Professional V19:** Update to V19 Update 1 or later.
- **SIMATIC WinCC V7.5:** Update to V7.5 SP2 Update 16 or later.
- **SIMATIC WinCC V8.0:** Update to V8.0 Update 5 or later.
### Workarounds
1. Activate **SIMATIC Logon** in the User Administrator of the SIMATIC PCS 7 Operator Stations.
2. Follow General Security Recommendations provided by Siemens.
## Detection
- **Indicators of Compromise:** System crashes or unexpected termination of the WinCC runtime process, specifically when accessed via the login interface context.
- **Detection Methods and Tools:** Monitor system logs for repeated application crashes associated with the WinCC runtime service. Network monitoring is not primarily relevant as the attack vector is local (AV:L).
## References
- Vendor Advisory: SSA-730482
- Patch Link (Example for WinCC V7.5): hXXps://support.industry.siemens.com/cs/ww/en/view/109793460/
- General Security Guidelines: hXXps://www.siemens.com/cert/operational-guidelines-industrial-security