Full Report
Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: .NET BinaryFormatter Deserialization in Siemens Engineering Platforms
## CVE Details
- CVE ID: CVE-2023-32735
- CVSS Score: 6.5 (CVSS v3.1) / 7.0 (CVSS v4.0) (Medium/High)
- CWE: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- Products:
- Totally Integrated Automation Portal (TIA Portal) (Versions not specified, refer to vendor link)
- Totally Integrated Automation Portal (TIA Portal) V16
- SIMATIC STEP 7 Safety V16 (All versions < V16 Update 7)
- SIMATIC STEP 7 V16 (All versions < V16 Update 7)
- SIMATIC WinCC Unified V16 (All versions < V16 Update 7)
- SIMATIC WinCC V16 (All versions < V16.7)
- SIMOCODE ES V16 (All versions < V16 Update 7)
- SIMOTION SCOUT TIA V5.4 SP1 (All versions)
- SINAMICS Startdrive V16 (All versions)
- Soft Starter ES V16 (All versions < V16 Update 7)
- Versions: Various versions preceding specific updates/releases (details require checking the vendor page).
- Configurations: The vulnerability stems from deserializing user-controllable input using the .NET BinaryFormatter, specifically when handling hardware configuration profiles.
## Vulnerability Description
The affected Siemens applications improperly handle deserialization of data using the **.NET BinaryFormatter** when processing user-controllable input (such as hardware configuration profiles). This lack of proper restriction allows an unauthenticated attacker to potentially supply malicious serialized data. Successful exploitation can lead to a **type confusion** attack, resulting in the execution of arbitrary code within the context of the affected application. This is identified as the same fundamental issue present in the .NET BinaryFormatter vulnerability documented by Microsoft (CA2300).
## Exploitation
- Status: The advisory implies that this is a known critical issue, but does not explicitly state if it is exploited in the wild. The CVSS E:P (Exploitability Maturity) suggests Proof-of-Concept (PoC) or exploit code may exist.
- Complexity: Low (Based on CVSS vector $AC:L$)
- Attack Vector: Local (AV:L) - Requires the attacker to interact locally with the application, likely via user interaction (UI:R).
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
Siemens strongly recommends updating to the latest available versions. Specific updates mentioned resolve the vulnerability associated with CVE-2023-32735:
- **SIMATIC STEP 7 Safety V16 / STEP 7 V16 / WinCC Unified V16 / SIMOCODE ES V16 / Soft Starter ES V16:** Update to **V16 Update 7 or later**.
- **SIMATIC WinCC V16:** Update to **V16.7 or later**.
- **TIA Portal / TIA Portal V16:** Refer to the product-specific details on the Siemens advisory page for the latest fix version.
### Workarounds
For products where fixes are not yet available (specifically **SIMOTION SCOUT TIA V5.4 SP1** and **SINAMICS Startdrive V16**):
- Siemens recommends applying specific countermeasures detailed in the "Workarounds and Mitigations" section of the official advisory (not fully detailed in this summary). Generally, this involves restricting access to the application and ensuring no untrusted data is processed via BinaryFormatter.
## Detection
- Indicators of Compromise (IOCs): Execution of arbitrary code originating from the deserialization process within the affected engineering platform service.
- Detection Methods and Tools: Monitoring application event logs for unexpected process execution or crashes related to deserialization routines within the affected Siemens software. Network monitoring may be less effective if the initial trigger requires a local file or user interaction.
## References
- Vendor Advisory: SSA-779936
- Siemens ProductCERT Portal: hXXps://www [dot] siemens [dot] com/cert/advisories