Full Report
Multiple vulnerabilities were found in SIMATIC WinCC that ultimately could allow local or remote attackers to escalate privileges and read, write or delete critical files. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available. Note: The vulnerability CVE-2021-40359 is part of a shared component, used by various Siemens products (SIMATIC Communication Services - SCS). The installation of a fix version of any product also removes the vulnerability for other products on the same system, even if those products were not updated.
Analysis Summary
# Vulnerability: Multiple Privilege Escalation and Information Disclosure Flaws in SIMATIC WinCC
## CVE Details
- **CVE ID:** CVE-2021-40359
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-219 (Storage of File with Sensitive Data Under Web Root)
- **CVE ID:** CVE-2021-40358
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-269 (Improper Privilege Management)
- **CVE ID:** CVE-2021-40364
- **CVSS Score:** 3.3 (Low)
- **CWE:** CWE-532 (Insertion of Sensitive Information into Log File)
## Affected Systems
- **Products:** SIMATIC WinCC, OpenPCS 7, SIMATIC BATCH, SIMATIC NET PC Software, SIMATIC PCS 7, SIMATIC Route Control.
- **Versions:**
- WinCC V7.4, V7.5, V15, V16, V17 (various updates)
- OpenPCS 7 V8.2, V9.0, V9.1
- SIMATIC BATCH & Route Control V8.2, V9.0, V9.1
- SIMATIC NET PC Software V14, V15, V16, V17
- **Configurations:** CVE-2021-40359 affects the **SIMATIC Communication Services (SCS)**, a shared component used across multiple products.
## Vulnerability Description
The primary threat stems from three distinct flaws within the SIMATIC WinCC ecosystem:
1. **CVE-2021-40359:** A critical flaw where sensitive files are stored under the web root with insufficient access control. A remote attacker could potentially read, write, or delete critical files without authentication.
2. **CVE-2021-40358:** A local privilege escalation flaw where the application fails to properly manage privileges, allowing a local user to gain administrative rights.
3. **CVE-2021-40364:** An information disclosure flaw where sensitive technical data is written to log files, which could be accessed by unauthorized users to facilitate further attacks.
## Exploitation
- **Status:** Not exploited in the wild; No public PoC currently identified.
- **Complexity:** Low (CVE-2021-40359) to Medium.
- **Attack Vector:** Network (Remote) for the critical file access flaw; Local for the privilege escalation.
## Impact
- **Confidentiality:** High (Critical files and sensitive log data can be read).
- **Integrity:** High (Critical files can be modified or deleted).
- **Availability:** High (Deletion of critical files can lead to system failure).
## Remediation
### Patches
Siemens has released several updates. Key fix versions include:
- **SIMATIC WinCC:** V7.4 SP1 Upd 19, V7.5 SP2 Upd 4, V15.1 Upd 5, V16 Upd 5, V17 Upd 2.
- **SIMATIC NET PC:** V16 Upd 6, V17 SP1.
- **OpenPCS 7:** V9.0 Upd 4.
- **Note:** Because CVE-2021-40359 resides in a shared component (SCS), installing a fix for *any* affected product on a system will remediate that specific vulnerability for all other Siemens products on that same system.
### Workarounds
- Protect network access to affected products with appropriate mechanisms (e.g., firewalls, network segmentation).
- Follow the "Operational Guidelines for Industrial Security."
- For CVE-2021-40358: Ensure the local interactive login is restricted to trusted users only.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized file modifications or deletions within WinCC installation directories and web root folders.
- **Detection methods:** Audit system logs for unusual privilege escalation attempts or unauthorized access to SIMATIC Communication Services.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-840188.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories
- **Support Links:**
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109780528/
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109811815/