Full Report
Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. Siemens has released a new version for SIMATIC STEP 7 (TIA Portal) V18 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: .NET BinaryFormatter Deserialization in Siemens TIA Portal/PCS neo
## CVE Details
- CVE ID: CVE-2022-45147 (This CVE appears to be referenced as the underlying issue affecting some products in this advisory)
- CVSS Score: 7.8 (CVSS v3.1) / 8.5 (CVSS v4.0) (High)
- CWE: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- Products:
- SIMATIC PCS neo
- Totally Integrated Automation Portal (TIA Portal)
- SIMATIC STEP 7 (V16, V17, V18)
- Versions:
- SIMATIC STEP 7 (TIA Portal) V18: Versions before V18 Update 2
- SIMATIC PCS neo V4.0: All versions (affected by CVE-2022-45147, no fix planned)
- SIMATIC STEP 7 V16: All versions (affected by CVE-2022-45147, no fix planned)
- TIA Portal V16: Affected (no fix planned)
- SIMATIC STEP 7 V17: All versions (affected by CVE-2022-45147, no fix planned)
- TIA Portal V17: Affected (no fix planned)
- SIMATIC STEP 7 V18: All versions < V18 Update 2 (affected by CVE-2022-45147)
- TIA Portal V18: Affected versions prior to V18 Update 2
## Vulnerability Description
Affected Siemens applications improperly restrict the functionality of the .NET `BinaryFormatter` when it is used to deserialize data originating from user-controllable input. This lack of restriction allows an attacker to supply malicious serialized data, leading to type confusion during the deserialization process. Successful exploitation can result in the execution of arbitrary code with the privileges of the affected application. This vulnerability is related to the well-known issue affecting the .NET BinaryFormatter.
## Exploitation
- Status: PoC available (The advisory references the underlying CVE's established exploitability via `E:P` indicator, suggesting proof-of-concept exists for the general class of flaw.)
- Complexity: Low (CVSS v3.1 vector indicates AC:L - Low Attack Complexity)
- Attack Vector: Local (CVSS v3.1 vector indicates AV:L - Local Attack Vector)
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- **SIMATIC STEP 7 (TIA Portal) V18:** Update to **V18 Update 2 or later**. (Reference: [https://support.industry.siemens.com/cs/ww/en/view/109817218/](https://support.industry.siemens.com/cs/ww/en/view/109817218/))
- No fixes are currently planned for SIMATIC PCS neo V4.0, or STEP 7/TIA Portal V16 and V17.
### Workarounds
- Avoid opening untrusted files from unknown sources in affected products.
- Apply product-specific remediations/mitigations detailed in the vendor advisory.
- Follow Siemens' General Security Recommendations, including protecting network access to devices according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection relies on monitoring activity that attempts to trigger deserialization of untrusted input within the affected applications, particularly focusing on processes handling files or data streams originating from external or unknown sources.
- Monitoring for unexpected process execution or resource attempts originating from the TIA Portal or related services should be prioritized.
## References
- Siemens Advisory SSA-825651: [https://cert-portal.siemens.com/productcert/html/ssa-825651.html](https://cert-portal.siemens.com/productcert/html/ssa-825651.html)
- General Security Recommendations: [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)
- Siemens Industrial Security Information: [https://www.siemens.com/industrialsecurity](https://www.siemens.com/industrialsecurity)